IDSTools Module - Add base configs

salt/idstools/etc/disable.conf

@@ -0,0 +1,10 @@
+# idstools - disable.conf
+
+# Example of disabling a rule by signature ID (gid is optional).
+# 1:2019401
+# 2019401
+
+# Example of disabling a rule by regular expression.
+# - All regular expression matches are case insensitive.
+# re:hearbleed
+# re:MS(0[7-9]|10)-\d+

salt/idstools/etc/enable.conf

@@ -0,0 +1,10 @@
+# idstools-rulecat - enable.conf
+
+# Example of enabling a rule by signature ID (gid is optional).
+# 1:2019401
+# 2019401
+
+# Example of enabling a rule by regular expression.
+# - All regular expression matches are case insensitive.
+# re:hearbleed
+# re:MS(0[7-9]|10)-\d+

salt/idstools/etc/local.rules

@@ -0,0 +1 @@
+# Put your own custom Snort/Suricata rules in here.

salt/idstools/etc/modify.conf

@@ -0,0 +1,14 @@
+# idstools-rulecat - modify.conf
+
+# Format: <sid> "<from>" "<to>"
+
+# Example changing the seconds for rule 2019401 to 3600.
+#2019401 "seconds \d+" "seconds 3600"
+
+# Change all trojan-activity rules to drop. Its better to setup a
+# drop.conf for this, but this does show the use of back references.
+#re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
+
+# For compatibility, most Oinkmaster modifysid lines should work as
+# well.
+#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"

salt/idstools/etc/rulecat.conf

@@ -0,0 +1,6 @@
+--suricata-version 4.0
+--merged=/opt/so/rules/nids/downloaded.rules
+--local=/opt/so/rules/nids/local.rules
+--disable=disable.conf
+--enable=enable.conf
+--modify=modify.conf