Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # Barnyard2 example configuration file
- #
- #
- # This file contains a sample barnyard2 configuration.
- # You can take the following steps to create your own custom configuration:
- #
- # 1) Configure the variable declarations
- # 2) Setup the input plugins
- # 3) Setup the output plugins
- #
- #
- # Step 1: configure the variable declarations
- #
- # in order to keep from having a commandline that uses every letter in the
- # alphabet most configuration options are set here.
- # use UTC for timestamps
- #
- #config utc
- # set the appropriate paths to the file(s) your Snort process is using.
- #
- config reference_file: /etc/snort/reference.config
- config classification_file: /etc/snort/classification.config
- config gen_file: /etc/snort/gen-msg.map
- config sid_file: /etc/snort/sid-msg.map
- # Configure signature suppression at the spooler level see doc/README.sig_suppress
- #
- #
- #config sig_suppress: 1:10
- # Set the event cache size to defined max value before recycling of event occur.
- #
- #
- #config event_cache_size: 4096
- # define dedicated references similar to that of snort.
- #
- #config reference: mybugs http://www.mybugs.com/?s=
- # define explicit classifications similar to that of snort.
- #
- #config classification: shortname, short description, priority
- # set the directory for any output logging
- #
- config logdir: /var/log/snort
- # to ensure that any plugins requiring some level of uniqueness in their output
- # the alert_with_interface_name, interface and hostname directives are provided.
- # An example of usage would be to configure them to the values of the associated
- # snort process whose unified files you are reading.
- #
- # Example:
- # For a snort process as follows:
- # snort -i eth0 -c /etc/snort.conf
- #
- # Typical options would be:
- # config hostname: alienvault
- # config interface: eth0
- # config alert_with_interface_name
- #
- config hostname: alienvault_eth2
- config interface: eth2
- # enable printing of the interface name when alerting.
- #
- #config alert_with_interface_name
- # at times snort will alert on a packet within a stream and dump that stream to
- # the unified output. barnyard2 can generate output on each packet of that
- # stream or the first packet only.
- #
- config alert_on_each_packet_in_stream
- # enable daemon mode
- #
- #config daemon
- # make barnyard2 process chroot to directory after initialisation.
- #
- #config chroot: /var/log/snort
- # specifiy the group or GID for barnyard2 to run as after initialisation.
- #
- config set_gid: 113
- # specifiy the user or UID for barnyard2 to run as after initialisation.
- #
- config set_uid: 0
- # specify the directory for the barnyard2 PID file.
- #
- #config pidpath: /var/run/by2.pid
- # enable decoding of the data link (or second level headers).
- #
- #config decode_data_link
- # dump the application data
- #
- #config dump_payload
- # dump the application data as chars only
- #
- #config dump_chars_only
- # enable verbose dumping of payload information in log style output plugins.
- #
- #config dump_payload_verbose
- # enable obfuscation of logged IP addresses.
- #
- #config obfuscate
- # enable the year being shown in timestamps
- #
- config show_year
- # set the umask for all files created by the barnyard2 process (eg. log files).
- #
- #config umask: 066
- # enable verbose logging
- #
- #config verbose
- # quiet down some of the output
- #
- #config quiet
- # define the full waldo filepath.
- #
- config waldo_file: /var/log/snort/waldo
- # specificy the maximum length of the MPLS label chain
- #
- #config max_mpls_labelchain_len: 64
- # specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
- #
- #config mpls_payload_type: ipv4
- # set the reference network or homenet which is predominantly used by the
- # log_ascii plugin.
- #
- #config reference_net: 192.168.0.0/24
- #
- # CONTINOUS MODE
- #
- # set the archive directory for use with continous mode
- #
- config archivedir: /tmp
- # when in operating in continous mode, only process new records and ignore any
- # existing unified files
- #
- #config process_new_records_only
- #
- # Step 2: setup the input plugins
- #
- # this is not hard, only unified2 is supported ;)
- input unified2
- #
- # Step 3: setup the output plugins
- #
- # alert_cef
- # ----------------------------------------------------------------------------
- #
- # Purpose:
- # This output module provides the abilty to output alert information to a
- # remote network host as well as the local host using the open standard
- # Common Event Format (CEF).
- #
- # Arguments: host=hostname[:port], severity facility
- # arguments should be comma delimited.
- # host - specify a remote hostname or IP with optional port number
- # this is only specific to WIN32 (and is not yet fully supported)
- # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
- # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
- #
- # Examples:
- # output alert_cef
- # output alert_cef: host=192.168.10.1
- # output alert_cef: host=sysserver.com:1001
- # output alert_cef: LOG_AUTH LOG_INFO
- #
- # alert_bro
- # ----------------------------------------------------------------------------
- #
- # Purpose: Send alerts to a Bro-IDS instance.
- #
- # Arguments: hostname:port
- #
- # Examples:
- # output alert_bro: 127.0.0.1:47757
- # alert_fast
- # ----------------------------------------------------------------------------
- # Purpose: Converts data to an approximation of Snort's "fast alert" mode.
- #
- # Arguments: file <file>, stdout
- # arguments should be comma delimited.
- # file - specifiy alert file
- # stdout - no alert file, just print to screen
- #
- # Examples:
- # output alert_fast
- # output alert_fast: stdout
- #
- #output alert_fast: stdout
- # prelude: log to the Prelude Hybrid IDS system
- # ----------------------------------------------------------------------------
- #
- # Purpose:
- # This output module provides logging to the Prelude Hybrid IDS system
- #
- # Arguments: profile=snort-profile
- # snort-profile - name of the Prelude profile to use (default is snort).
- #
- # Snort priority to IDMEF severity mappings:
- # high < medium < low < info
- #
- # These are the default mapped from classification.config:
- # info = 4
- # low = 3
- # medium = 2
- # high = anything below medium
- #
- # Examples:
- # output alert_prelude
- # output alert_prelude: profile=snort-profile-name
- #
- # alert_syslog
- # ----------------------------------------------------------------------------
- #
- # Purpose:
- # This output module provides the abilty to output alert information to local syslog
- #
- # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
- # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
- #
- # Examples:
- # output alert_syslog
- # output alert_syslog: LOG_AUTH LOG_INFO
- #
- # syslog_full
- #-------------------------------
- # Available as both a log and alert output plugin. Used to output data via TCP/UDP or LOCAL ie(syslog())
- # Arguments:
- # sensor_name $sensor_name - unique sensor name
- # server $server - server the device will report to
- # local - if defined, ignore all remote information and use syslog() to send message.
- # protocol $protocol - protocol device will report over (tcp/udp)
- # port $port - destination port device will report to (default: 514)
- # delimiters $delimiters - define a character that will delimit message sections ex: "|", will use | as message section delimiters. (default: |)
- # separators $separators - define field separator included in each message ex: " " , will use space as field separator. (default: [:space:])
- # operation_mode $operaion_mode - default | complete : default mode is compatible with default snort syslog message, complete prints more information such as the raw packet (hexed)
- # log_priority $log_priority - used by local option for syslog priority call. (man syslog(3) for supported options) (default: LOG_INFO)
- # log_facility $log_facility - used by local option for syslog facility call. (man syslog(3) for supported options) (default: LOG_USER)
- # payload_encoding - (default: hex) support hex/ascii/base64 for log_syslog_full using operation_mode complete only.
- # Usage Examples:
- # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
- # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
- # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
- # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
- # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
- # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
- # output alert_syslog_full: sensor_name snortIds1-eth2, local
- output alert_syslog_full: sensor_name alienvault-eth2, local, log_priority LOG_CRIT,log_facility LOG_LOCAL7, operation_mode complete
- # log_ascii
- # ----------------------------------------------------------------------------
- #
- # Purpose: This output module provides the default packet logging funtionality
- #
- # Arguments: None.
- #
- # Examples:
- # output log_ascii
- #
- # log_tcpdump
- # ----------------------------------------------------------------------------
- #
- # Purpose
- # This output module logs packets in binary tcpdump format
- #
- # Arguments:
- # The only argument is the output file name.
- #
- # Examples:
- # output log_tcpdump: tcpdump.log
- #
- # sguil
- # ----------------------------------------------------------------------------
- #
- # Purpose: This output module provides logging ability for the sguil interface
- # See doc/README.sguil
- #
- # Arguments: agent_port <port>, sensor_name <name>
- # arguments should be comma delimited.
- # agent_port - explicitly set the sguil agent listening port
- # (default: 7736)
- # sensor_name - explicitly set the sensor name
- # (default: machine hostname)
- #
- # Examples:
- # output sguil
- # output sguil: agent_port=7000
- # output sguil: sensor_name=argyle
- # output sguil: agent_port=7000, sensor_name=argyle
- #
- # database: log to a variety of databases
- # ----------------------------------------------------------------------------
- #
- # Purpose: This output module provides logging ability to a variety of databases
- # See doc/README.database for additional information.
- #
- # Examples:
- # output database: log, mysql, user=root password=test dbname=db host=localhost
- # output database: alert, postgresql, user=snort dbname=snort
- # output database: log, odbc, user=snort dbname=snort
- # output database: log, mssql, dbname=snort user=snort password=test
- # output database: log, oracle, dbname=snort user=snort password=test
- #
- # alert_fwsam: allow blocking of IP's through remote services
- # ----------------------------------------------------------------------------
- # output alert_fwsam: <SnortSam Station>:<port>/<key>
- #
- # <FW Mgmt Station>: IP address or host name of the host running SnortSam.
- # <port>: Port the remote SnortSam service listens on (default 898).
- # <key>: Key used for authentication (encryption really)
- # of the communication to the remote service.
- #
- # Examples:
- #
- # output alert_fwsam: snortsambox/idspassword
- # output alert_fwsam: fw1.domain.tld:898/mykey
- # output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw
- #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement