From 8333d50d46342bbd38e6bd7f65aebcca75cb3332 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Feb 2018 12:13:09 -0500 Subject: [PATCH] PulledPork Salt Module- pulledpork.conf --- salt/pulledpork/etc/pulledpork.conf | 74 ++++++++++++++--------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/salt/pulledpork/etc/pulledpork.conf b/salt/pulledpork/etc/pulledpork.conf index 736d7b3a1..0c9e6d981 100644 --- a/salt/pulledpork/etc/pulledpork.conf +++ b/salt/pulledpork/etc/pulledpork.conf @@ -1,32 +1,32 @@ # Config file for pulledpork # Be sure to read through the entire configuration file -# If you specify any of these items on the command line, it WILL take +# If you specify any of these items on the command line, it WILL take # precedence over any value that you specify in this file! ####### -####### The below section defines what your oinkcode is (required for -####### VRT rules), defines a temp path (must be writable) and also -####### defines what version of rules that you are getting (for your +####### The below section defines what your oinkcode is (required for +####### VRT rules), defines a temp path (must be writable) and also +####### defines what version of rules that you are getting (for your ####### snort version and subscription etc...) -####### +####### -# You can specify one or as many rule_urls as you like, they +# You can specify one or as many rule_urls as you like, they # must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify # each on an individual line, or you can specify them in a , separated list # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456 # note that the url, rule file, and oinkcode itself are separated by a pipe | -# i.e. url|tarball|123456789, -rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| +# i.e. url|tarball|123456789, +#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| # NEW Community ruleset: -rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community +#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST| # This format MUST be followed to let pulledpork know that this is a blacklist -rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|open +#rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open # URL for rule documentation! (slow to process) -rule_url=https://snort.org/downloads/community/|opensource.gz|Opensource +#rule_url=https://snort.org/downloads/community/|opensource.tar.gz|Opensource # THE FOLLOWING URL is for emergingthreats downloads, note the tarball name change! # and open-nogpl, to avoid conflicts. -#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl +rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open # THE FOLLOWING URL is for etpro downloads, note the tarball name change! # and the et oinkcode requirement! #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz| @@ -56,22 +56,22 @@ ignore=deleted.rules,experimental.rules,local.rules # previous ignore line and uncomment the following! # ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data -# What is our temp path, be sure this path has a bit of space for rule +# What is our temp path, be sure this path has a bit of space for rule # extraction and manipulation, no trailing slash temp_path=/tmp ####### -####### The below section is for rule processing. This section is +####### The below section is for rule processing. This section is ####### required if you are not specifying the configuration using -####### runtime switches. Note that runtime switches do SUPERSEED +####### runtime switches. Note that runtime switches do SUPERSEED ####### any values that you have specified here! ####### -# What path you want the .rules file containing all of the processed -# rules? (this value has changed as of 0.4.0, previously we copied +# What path you want the .rules file containing all of the processed +# rules? (this value has changed as of 0.4.0, previously we copied # all of the rules, now we are creating a single large rules file # but still keeping a separate file for your so_rules! -rule_path=/usr/local/etc/snort/rules/snort.rules +rule_path=/opt/so/rules/nids/downloaded.rules # What path you want the .rules files to be written to, this is UNIQUE # from the rule_path and cannot be used in conjunction, this is to be used with the @@ -86,24 +86,24 @@ rule_path=/usr/local/etc/snort/rules/snort.rules # files that are local to your system here by adding a comma and more paths... # remember that the FULL path must be specified for EACH value. # local_rules=/path/to/these.rules,/path/to/those.rules -local_rules=/usr/local/etc/snort/rules/local.rules +local_rules=/opt/so/rules/nids/local.rules,/opt/so/rules/nids/decoder-events.rules,/opt/so/rules/nids/stream-events.rules,/opt/so/rules/nids/http-events.rules,/opt/so/rules/nids/smtp-events.rules # Where should I put the sid-msg.map file? -sid_msg=/usr/local/etc/snort/sid-msg.map +sid_msg=/opt/so/rules/nids/sid-msg.map # New for by2 and more advanced msg mapping. Valid options are 1 or 2 # specify version 2 if you are running barnyard2.2+. Otherwise use 1 sid_msg_version=1 -# Where do you want me to put the sid changelog? This is a changelog +# Where do you want me to put the sid changelog? This is a changelog # that pulledpork maintains of all new sids that are imported -sid_changelog=/var/log/sid_changes.log +sid_changelog=/var/log/nsm/sid_changes.log # this value is optional ####### ####### The below section is for so_rule processing only. If you don't ####### need to use them.. then comment this section out! -####### Alternately, if you are not using pulledpork to process +####### Alternately, if you are not using pulledpork to process ####### so_rules, you can specify -T at runtime to bypass this altogether ####### @@ -112,11 +112,11 @@ sid_changelog=/var/log/sid_changes.log sorule_path=/usr/local/lib/snort_dynamicrules/ # Path to the snort binary, we need this to generate the stub files -snort_path=/usr/local/bin/snort +snort_path=/usr/bin/snort # We need to know where your snort.conf file lives so that we can # generate the stub files -config_path=/usr/local/etc/snort/snort.conf +config_path=/etc/nsm/templates/snort/snort.conf ##### Deprecated - The stubs are now categorically written to the single rule file! # sostub_path=/usr/local/etc/snort/rules/so_rules.rules @@ -130,7 +130,7 @@ config_path=/usr/local/etc/snort/snort.conf # OpenBSD-5-2, OpenBSD-5-3 # OpenSUSE-11-4, OpenSUSE-12-1 # Slackware-13-1 -distro=FreeBSD-8-1 +distro=Centos-5-4 ####### This next section is optional, but probably pretty useful to you. ####### Please read thoroughly! @@ -165,8 +165,8 @@ snort_control=/usr/local/bin/snort_control # pp_backup.1295886020.tgz # backup_file=/tmp/pp_backup -# Where do you want the signature docs to be copied, if this is commented -# out then they will not be copied / extracted. Note that extracting them +# Where do you want the signature docs to be copied, if this is commented +# out then they will not be copied / extracted. Note that extracting them # will add considerable runtime to pulledpork. # docs=/path/to/base/www @@ -179,12 +179,12 @@ snort_control=/usr/local/bin/snort_control # Define the path to the pid files of any running process that you want to -# sent a signal (specified with -H option) after PP has completed its run. +# HUP after PP has completed its run. # pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid # and so on... # pid_path=/var/run/snort_eth0.pid -# This defines the version of snort that you are using, for use ONLY if the +# This defines the version of snort that you are using, for use ONLY if the # proper snort binary is not on the system that you are fetching the rules with # This value MUST contain all 4 minor version # numbers. ET rules are now also dependant on this, verify supported ET versions @@ -196,18 +196,18 @@ snort_control=/usr/local/bin/snort_control # Here you can specify what rule modification files to run automatically. # simply uncomment and specify the apt path. -# enablesid=/usr/local/etc/snort/enablesid.conf -# dropsid=/usr/local/etc/snort/dropsid.conf -# disablesid=/usr/local/etc/snort/disablesid.conf -# modifysid=/usr/local/etc/snort/modifysid.conf +enablesid=/opt/so/pulledpork/etc/enablesid.conf +dropsid=/opt/so/pulledpork/dropsid.conf +disablesid=/opt/so/pulledpork/disablesid.conf +modifysid=/opt/so/pulledpork/modifysid.conf # What is the base ruleset that you want to use, please uncomment to use -# and see the README.RULESETS for a description of the options. -# Note that setting this value will disable all ET rulesets if you are +# and see the README.RULESETS for a description of the options. +# Note that setting this value will disable all ET rulesets if you are # Running such rulesets # ips_policy=security -####### Remember, a number of these values are optional.. if you don't +####### Remember, a number of these values are optional.. if you don't ####### need to process so_rules, simply comment out the so_rule section ####### you can also specify -T at runtime to process only GID 1 rules.