API tools faq
paste
Guest User

PP-conf_24Oct13

a guest
Oct 24th, 2013
266
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.97 KB | None | 0 0
raw download clone embed print report
  1. # Config file for pulledpork
  2. # Be sure to read through the entire configuration file
  3. # If you specify any of these items on the command line, it WILL take
  4. # precedence over any value that you specify in this file!
  5.  
  6. #######
  7. ####### The below section defines what your oinkcode is (required for
  8. ####### VRT rules), defines a temp path (must be writable) and also
  9. ####### defines what version of rules that you are getting (for your
  10. ####### snort version and subscription etc...)
  11. #######
  12.  
  13. # You can specify one or as many rule_urls as you like, they
  14. # must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify
  15. # each on an individual line, or you can specify them in a , separated list
  16. # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
  17. # note that the url, rule file, and oinkcode itself are separated by a pipe |
  18. # i.e. url|tarball|123456789,
  19. ###rule_url=http://www.snort.org/pub-bin/e5454e32094dd017be5907b5cacb387eb55d2152/snortrules-snapshot-2950.tar.gz
  20. # rule_url=http://www.snort.org/pub-bin/snortrules-snapshot-2950.tar.gz/e5454e32094dd017be5907b5cacb387eb55d2152
  21.  
  22. #Commented out this line on 24th Oct 2013 as per the suggesstions by the JJ Cummunigs
  23. ##rule_url=https://www.snort.org/reg-rules/snortrules|snapshot-2950.tar.gz|e5454e32094dd017be5907b5cacb387eb55d2152
  24. rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|e5454e32094dd017be5907b5cacb387eb55d2152
  25. #get the rule docs!
  26. rule_url=https://www.snort.org/reg-rules/|opensource.gz|e5454e32094dd017be5907b5cacb387eb55d2152
  27. rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
  28. ##Evaluate by adding this option and see the difference
  29. #rule_url=http://rules.emergingthreats.net |emerging.rules.tar.gz|open-nogpl (refer: http://comments.gmane.org/gmane.comp.security.ids.snort.general/33954)
  30.  
  31. ####*rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
  32. ## rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
  33. # NEW Community ruleset:
  34. #Commented the community rules on 22nd Oct 2013 as it is going in loop. Will be dropping a mail to the community for this issue and revert back
  35. #rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
  36. # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
  37. # This format MUST be followed to let pulledpork know that this is a blacklist (This is enabled on 17th Oct 2013)
  38. rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
  39. # URL for rule documentation! (slow to process)
  40. ##rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
  41. #rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
  42. # THE FOLLOWING URL is for etpro downloads, note the tarball name change!
  43. # and the et oinkcode requirement!
  44. #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
  45. # NOTE above that the VRT snortrules-snapshot does not contain the version
  46. # portion of the tarball name, this is because PP now automatically populates
  47. # this value for you, if, however you put the version information in, PP will
  48. # NOT populate this value but will use your value!
  49.  
  50. # Specify rule categories to ignore from the tarball in a comma separated list
  51. # with no spaces. There are four ways to do this:
  52. # 1) Specify the category name with no suffix at all to ignore the category
  53. # regardless of what rule-type it is, ie: netbios
  54. # 2) Specify the category name with a '.rules' suffix to ignore only gid 1
  55. # rulefiles located in the /rules directory of the tarball, ie: policy.rules
  56. # 3) Specify the category name with a '.preproc' suffix to ignore only
  57. # preprocessor rules located in the /preproc_rules directory of the tarball,
  58. # ie: sensitive-data.preproc
  59. # 4) Specify the category name with a '.so' suffix to ignore only shared-object
  60. # rules located in the /so_rules directory of the tarball, ie: netbios.so
  61. # The example below ignores dos rules wherever they may appear, sensitive-
  62. # data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),
  63. # and netbios gid-1 rules (while including netbios so-rules):
  64. # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
  65. # These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
  66. ignore=deleted.rules,experimental.rules,local.rules
  67. # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
  68. # previous ignore line and uncomment the following!
  69. # ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
  70.  
  71. # What is our temp path, be sure this path has a bit of space for rule
  72. # extraction and manipulation, no trailing slash
  73. temp_path=/etc/snort/tmp/
  74.  
  75. #######
  76. ####### The below section is for rule processing. This section is
  77. ####### required if you are not specifying the configuration using
  78. ####### runtime switches. Note that runtime switches do SUPERSEED
  79. ####### any values that you have specified here!
  80. #######
  81.  
  82. # What path you want the .rules file containing all of the processed
  83. # rules? (this value has changed as of 0.4.0, previously we copied
  84. # all of the rules, now we are creating a single large rules file
  85. # but still keeping a separate file for your so_rules!
  86. rule_path=/etc/snort/rules/snort.rules
  87. ##rule_path=/usr/local/etc/snort/rules/snort.rules
  88.  
  89. # What path you want the .rules files to be written to, this is UNIQUE
  90. # from the rule_path and cannot be used in conjunction, this is to be used with the
  91. # -k runtime flag, this can be set at runtime using the -K flag or specified
  92. # here. If specified here, the -k option must also be passed at runtime, however
  93. # specifying -K <path> at runtime forces the -k option to also be set
  94. # out_path=/usr/local/etc/snort/rules/
  95.  
  96. # If you are running any rules in your local.rules file, we need to
  97. # know about them to properly build a sid-msg.map that will contain your
  98. # local.rules metadata (msg) information. You can specify other rules
  99. # files that are local to your system here by adding a comma and more paths...
  100. # remember that the FULL path must be specified for EACH value.
  101. # local_rules=/path/to/these.rules,/path/to/those.rules
  102. ##local_rules=/usr/local/etc/snort/rules/local.rules
  103.  
  104. # Where should I put the sid-msg.map file?
  105. sid_msg=/etc/snort/sid-msg.map
  106. ##sid_msg=/usr/local/etc/snort/sid-msg.map
  107.  
  108. # New for by2 and more advanced msg mapping. Valid options are 1 or 2
  109. # specify version 2 if you are running barnyard2.2+. Otherwise use 1
  110. sid_msg_version=1
  111.  
  112. # Where do you want me to put the sid changelog? This is a changelog
  113. # that pulledpork maintains of all new sids that are imported
  114. sid_changelog=/var/log/sid_changes.log
  115. # this value is optional
  116.  
  117. #######
  118. ####### The below section is for so_rule processing only. If you don't
  119. ####### need to use them.. then comment this section out!
  120. ####### Alternately, if you are not using pulledpork to process
  121. ####### so_rules, you can specify -T at runtime to bypass this altogether
  122. #######
  123.  
  124. # What path you want the .so files to actually go to *i.e. where is it
  125. # defined in your snort.conf, needs a trailing slash
  126. ##sorule_path=/usr/local/lib/snort_dynamicrules/
  127. sorule_path=/usr/local/lib/snort_dynamicrules/
  128. # Path to the snort binary, we need this to generate the stub files
  129. snort_path=/usr/sbin/snort
  130. ##snort_path=/usr/local/bin/snort
  131.  
  132. # We need to know where your snort.conf file lives so that we can
  133. # generate the stub files
  134. ##config_path=/usr/local/etc/snort/snort.conf
  135. config_path=/etc/snort/snort.conf
  136.  
  137. ##### Deprecated - The stubs are now categorically written to the single rule file!
  138. # sostub_path=/usr/local/etc/snort/rules/so_rules.rules
  139. sostub_path==/usr/local/etc/snort/so_rules/so_rules.rules
  140.  
  141. # Define your distro, this is for the precompiled shared object libs!
  142. # Valid Distro Types:
  143. # Debian-5-0, Debian-6-0,
  144. # Ubuntu-8.04, Ubuntu-10-4
  145. # Centos-4-8, Centos-5-4
  146. # FC-12, FC-14, RHEL-5-5, RHEL-6-0
  147. # FreeBSD-7-3, FreeBSD-8-1
  148. # OpenBSD-4-8
  149. # Slackware-13-1
  150. ##distro=FreeBSD-8.1
  151. #*distro=RHEL-6-0
  152. distro=Centos-5-4
  153.  
  154. ####### This next section is optional, but probably pretty useful to you.
  155. ####### Please read thoroughly!
  156.  
  157. # If you are using IP Reputation and getting some public lists, you will probably
  158. # want to tell pulledpork where your blacklist file lives, PP automagically will
  159. # de-dupe any duplicate IPs from different sources.
  160. #Enabled on 17th Oct 2013
  161. black_list=/etc/snort/rules/default.blacklist
  162. #Uncommented on 17th Oct 2013
  163. #blackl_list=/etc/snort/rules/blacklist.rules
  164.  
  165. # IP Reputation does NOT require a full snort HUP, it introduces a concept whereby
  166. # the IP list can be reloaded while snort is running through the use of a control
  167. # socket. Please be sure that you built snort with the following optins:
  168. # -enable-shared-rep and --enable-control-socket. Be sure to read about how to
  169. # configure these! The following option tells pulledpork where to place the version
  170. # file for use with control socket ip list reloads!
  171. # This should be the same path where your black_list lives!
  172. ##IPRVersion=/usr/local/etc/snort/rules/iplists
  173.  
  174. # The following option tells snort where the snort_control tool is located.
  175. ##snort_control=/usr/local/bin/snort_control
  176.  
  177. # What do you want to backup and archive? This is a comma separated list
  178. # of file or directory values. If a directory is specified, PP will recurse
  179. # through said directory and all subdirectories to archive all files.
  180. # The following example backs up all snort config files, rules, pulledpork
  181. # config files, and snort shared object binary rules.
  182. # backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/
  183.  
  184. # what path and filename should we use for the backup tarball?
  185. # note that an epoch time value and the .tgz extension is automatically added
  186. # to the backup_file name on completeion i.e. the written file is:
  187. # pp_backup.1295886020.tgz
  188. ## backup_file=/tmp/pp_backup
  189. backup_file=/tmp/pp070_backup
  190.  
  191. # Where do you want the signature docs to be copied, if this is commented
  192. # out then they will not be copied / extracted. Note that extracting them
  193. # will add considerable runtime to pulledpork.
  194. # docs=/path/to/base/www
  195.  
  196. # The following option, state_order, allows you to more finely control the order
  197. # that pulledpork performs the modify operations, specifically the enablesid
  198. # disablesid and dropsid functions. An example use case here would be to
  199. # disable an entire category and later enable only a rule or two out of it.
  200. # the valid values are disable, drop, and enable.
  201. # state_order=disable,drop,enable
  202.  
  203.  
  204. # Define the path to the pid files of any running process that you want to
  205. # HUP after PP has completed its run.
  206. # pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
  207. # and so on...
  208. ## pid_path=/var/run/snort_eth0.pid
  209. pid_path=/var/run/snort_eth2.pid,/var/run/barnyard2.pid
  210.  
  211. # This defines the version of snort that you are using, for use ONLY if the
  212. # proper snort binary is not on the system that you are fetching the rules with
  213. # This value MUST contain all 4 minor version
  214. # numbers. ET rules are now also dependant on this, verify supported ET versions
  215. # prior to simply throwing rubbish in this variable kthx!
  216. ## snort_version=2.9.0.0
  217. snort_version=2.9.5.0
  218. # Here you can specify what rule modification files to run automatically.
  219. # simply uncomment and specify the apt path.
  220. # enablesid=/usr/local/etc/snort/enablesid.conf
  221. # dropsid=/usr/local/etc/snort/dropsid.conf
  222. # disablesid=/usr/local/etc/snort/disablesid.conf
  223. # modifysid=/usr/local/etc/snort/modifysid.conf
  224.  
  225. # What is the base ruleset that you want to use, please uncomment to use
  226. # and see the README.RULESETS for a description of the options.
  227. # Note that setting this value will disable all ET rulesets if you are
  228. # Running such rulesets
  229. # ips_policy=security
  230.  
  231. ####### Remember, a number of these values are optional.. if you don't
  232. ####### need to process so_rules, simply comment out the so_rule section
  233. ####### you can also specify -T at runtime to process only GID 1 rules.
  234.  
  235. version=0.7.0
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!