mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
PulledPork Salt Module- pulledpork.conf
This commit is contained in:
Mike Reeves
@@ -1,32 +1,32 @@
|
|||||||
# Config file for pulledpork
|
# Config file for pulledpork
|
||||||
# Be sure to read through the entire configuration file
|
# Be sure to read through the entire configuration file
|
||||||
# If you specify any of these items on the command line, it WILL take
|
# If you specify any of these items on the command line, it WILL take
|
||||||
# precedence over any value that you specify in this file!
|
# precedence over any value that you specify in this file!
|
||||||
|
|
||||||
#######
|
#######
|
||||||
####### The below section defines what your oinkcode is (required for
|
####### The below section defines what your oinkcode is (required for
|
||||||
####### VRT rules), defines a temp path (must be writable) and also
|
####### VRT rules), defines a temp path (must be writable) and also
|
||||||
####### defines what version of rules that you are getting (for your
|
####### defines what version of rules that you are getting (for your
|
||||||
####### snort version and subscription etc...)
|
####### snort version and subscription etc...)
|
||||||
#######
|
#######
|
||||||
|
|
||||||
# You can specify one or as many rule_urls as you like, they
|
# You can specify one or as many rule_urls as you like, they
|
||||||
# must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify
|
# must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify
|
||||||
# each on an individual line, or you can specify them in a , separated list
|
# each on an individual line, or you can specify them in a , separated list
|
||||||
# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
|
# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
|
||||||
# note that the url, rule file, and oinkcode itself are separated by a pipe |
|
# note that the url, rule file, and oinkcode itself are separated by a pipe |
|
||||||
# i.e. url|tarball|123456789,
|
# i.e. url|tarball|123456789,
|
||||||
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
|
#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
|
||||||
# NEW Community ruleset:
|
# NEW Community ruleset:
|
||||||
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
|
#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
|
||||||
# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
|
# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
|
||||||
# This format MUST be followed to let pulledpork know that this is a blacklist
|
# This format MUST be followed to let pulledpork know that this is a blacklist
|
||||||
rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|open
|
#rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
|
||||||
# URL for rule documentation! (slow to process)
|
# URL for rule documentation! (slow to process)
|
||||||
rule_url=https://snort.org/downloads/community/|opensource.gz|Opensource
|
#rule_url=https://snort.org/downloads/community/|opensource.tar.gz|Opensource
|
||||||
# THE FOLLOWING URL is for emergingthreats downloads, note the tarball name change!
|
# THE FOLLOWING URL is for emergingthreats downloads, note the tarball name change!
|
||||||
# and open-nogpl, to avoid conflicts.
|
# and open-nogpl, to avoid conflicts.
|
||||||
#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl
|
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
|
||||||
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
|
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
|
||||||
# and the et oinkcode requirement!
|
# and the et oinkcode requirement!
|
||||||
#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
|
#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
|
||||||
@@ -56,22 +56,22 @@ ignore=deleted.rules,experimental.rules,local.rules
|
|||||||
# previous ignore line and uncomment the following!
|
# previous ignore line and uncomment the following!
|
||||||
# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
|
# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
|
||||||
|
|
||||||
# What is our temp path, be sure this path has a bit of space for rule
|
# What is our temp path, be sure this path has a bit of space for rule
|
||||||
# extraction and manipulation, no trailing slash
|
# extraction and manipulation, no trailing slash
|
||||||
temp_path=/tmp
|
temp_path=/tmp
|
||||||
|
|
||||||
#######
|
#######
|
||||||
####### The below section is for rule processing. This section is
|
####### The below section is for rule processing. This section is
|
||||||
####### required if you are not specifying the configuration using
|
####### required if you are not specifying the configuration using
|
||||||
####### runtime switches. Note that runtime switches do SUPERSEED
|
####### runtime switches. Note that runtime switches do SUPERSEED
|
||||||
####### any values that you have specified here!
|
####### any values that you have specified here!
|
||||||
#######
|
#######
|
||||||
|
|
||||||
# What path you want the .rules file containing all of the processed
|
# What path you want the .rules file containing all of the processed
|
||||||
# rules? (this value has changed as of 0.4.0, previously we copied
|
# rules? (this value has changed as of 0.4.0, previously we copied
|
||||||
# all of the rules, now we are creating a single large rules file
|
# all of the rules, now we are creating a single large rules file
|
||||||
# but still keeping a separate file for your so_rules!
|
# but still keeping a separate file for your so_rules!
|
||||||
rule_path=/usr/local/etc/snort/rules/snort.rules
|
rule_path=/opt/so/rules/nids/downloaded.rules
|
||||||
|
|
||||||
# What path you want the .rules files to be written to, this is UNIQUE
|
# What path you want the .rules files to be written to, this is UNIQUE
|
||||||
# from the rule_path and cannot be used in conjunction, this is to be used with the
|
# from the rule_path and cannot be used in conjunction, this is to be used with the
|
||||||
@@ -86,24 +86,24 @@ rule_path=/usr/local/etc/snort/rules/snort.rules
|
|||||||
# files that are local to your system here by adding a comma and more paths...
|
# files that are local to your system here by adding a comma and more paths...
|
||||||
# remember that the FULL path must be specified for EACH value.
|
# remember that the FULL path must be specified for EACH value.
|
||||||
# local_rules=/path/to/these.rules,/path/to/those.rules
|
# local_rules=/path/to/these.rules,/path/to/those.rules
|
||||||
local_rules=/usr/local/etc/snort/rules/local.rules
|
local_rules=/opt/so/rules/nids/local.rules,/opt/so/rules/nids/decoder-events.rules,/opt/so/rules/nids/stream-events.rules,/opt/so/rules/nids/http-events.rules,/opt/so/rules/nids/smtp-events.rules
|
||||||
|
|
||||||
# Where should I put the sid-msg.map file?
|
# Where should I put the sid-msg.map file?
|
||||||
sid_msg=/usr/local/etc/snort/sid-msg.map
|
sid_msg=/opt/so/rules/nids/sid-msg.map
|
||||||
|
|
||||||
# New for by2 and more advanced msg mapping. Valid options are 1 or 2
|
# New for by2 and more advanced msg mapping. Valid options are 1 or 2
|
||||||
# specify version 2 if you are running barnyard2.2+. Otherwise use 1
|
# specify version 2 if you are running barnyard2.2+. Otherwise use 1
|
||||||
sid_msg_version=1
|
sid_msg_version=1
|
||||||
|
|
||||||
# Where do you want me to put the sid changelog? This is a changelog
|
# Where do you want me to put the sid changelog? This is a changelog
|
||||||
# that pulledpork maintains of all new sids that are imported
|
# that pulledpork maintains of all new sids that are imported
|
||||||
sid_changelog=/var/log/sid_changes.log
|
sid_changelog=/var/log/nsm/sid_changes.log
|
||||||
# this value is optional
|
# this value is optional
|
||||||
|
|
||||||
#######
|
#######
|
||||||
####### The below section is for so_rule processing only. If you don't
|
####### The below section is for so_rule processing only. If you don't
|
||||||
####### need to use them.. then comment this section out!
|
####### need to use them.. then comment this section out!
|
||||||
####### Alternately, if you are not using pulledpork to process
|
####### Alternately, if you are not using pulledpork to process
|
||||||
####### so_rules, you can specify -T at runtime to bypass this altogether
|
####### so_rules, you can specify -T at runtime to bypass this altogether
|
||||||
#######
|
#######
|
||||||
|
|
||||||
@@ -112,11 +112,11 @@ sid_changelog=/var/log/sid_changes.log
|
|||||||
sorule_path=/usr/local/lib/snort_dynamicrules/
|
sorule_path=/usr/local/lib/snort_dynamicrules/
|
||||||
|
|
||||||
# Path to the snort binary, we need this to generate the stub files
|
# Path to the snort binary, we need this to generate the stub files
|
||||||
snort_path=/usr/local/bin/snort
|
snort_path=/usr/bin/snort
|
||||||
|
|
||||||
# We need to know where your snort.conf file lives so that we can
|
# We need to know where your snort.conf file lives so that we can
|
||||||
# generate the stub files
|
# generate the stub files
|
||||||
config_path=/usr/local/etc/snort/snort.conf
|
config_path=/etc/nsm/templates/snort/snort.conf
|
||||||
|
|
||||||
##### Deprecated - The stubs are now categorically written to the single rule file!
|
##### Deprecated - The stubs are now categorically written to the single rule file!
|
||||||
# sostub_path=/usr/local/etc/snort/rules/so_rules.rules
|
# sostub_path=/usr/local/etc/snort/rules/so_rules.rules
|
||||||
@@ -130,7 +130,7 @@ config_path=/usr/local/etc/snort/snort.conf
|
|||||||
# OpenBSD-5-2, OpenBSD-5-3
|
# OpenBSD-5-2, OpenBSD-5-3
|
||||||
# OpenSUSE-11-4, OpenSUSE-12-1
|
# OpenSUSE-11-4, OpenSUSE-12-1
|
||||||
# Slackware-13-1
|
# Slackware-13-1
|
||||||
distro=FreeBSD-8-1
|
distro=Centos-5-4
|
||||||
|
|
||||||
####### This next section is optional, but probably pretty useful to you.
|
####### This next section is optional, but probably pretty useful to you.
|
||||||
####### Please read thoroughly!
|
####### Please read thoroughly!
|
||||||
@@ -165,8 +165,8 @@ snort_control=/usr/local/bin/snort_control
|
|||||||
# pp_backup.1295886020.tgz
|
# pp_backup.1295886020.tgz
|
||||||
# backup_file=/tmp/pp_backup
|
# backup_file=/tmp/pp_backup
|
||||||
|
|
||||||
# Where do you want the signature docs to be copied, if this is commented
|
# Where do you want the signature docs to be copied, if this is commented
|
||||||
# out then they will not be copied / extracted. Note that extracting them
|
# out then they will not be copied / extracted. Note that extracting them
|
||||||
# will add considerable runtime to pulledpork.
|
# will add considerable runtime to pulledpork.
|
||||||
# docs=/path/to/base/www
|
# docs=/path/to/base/www
|
||||||
|
|
||||||
@@ -179,12 +179,12 @@ snort_control=/usr/local/bin/snort_control
|
|||||||
|
|
||||||
|
|
||||||
# Define the path to the pid files of any running process that you want to
|
# Define the path to the pid files of any running process that you want to
|
||||||
# sent a signal (specified with -H option) after PP has completed its run.
|
# HUP after PP has completed its run.
|
||||||
# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
|
# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
|
||||||
# and so on...
|
# and so on...
|
||||||
# pid_path=/var/run/snort_eth0.pid
|
# pid_path=/var/run/snort_eth0.pid
|
||||||
|
|
||||||
# This defines the version of snort that you are using, for use ONLY if the
|
# This defines the version of snort that you are using, for use ONLY if the
|
||||||
# proper snort binary is not on the system that you are fetching the rules with
|
# proper snort binary is not on the system that you are fetching the rules with
|
||||||
# This value MUST contain all 4 minor version
|
# This value MUST contain all 4 minor version
|
||||||
# numbers. ET rules are now also dependant on this, verify supported ET versions
|
# numbers. ET rules are now also dependant on this, verify supported ET versions
|
||||||
@@ -196,18 +196,18 @@ snort_control=/usr/local/bin/snort_control
|
|||||||
|
|
||||||
# Here you can specify what rule modification files to run automatically.
|
# Here you can specify what rule modification files to run automatically.
|
||||||
# simply uncomment and specify the apt path.
|
# simply uncomment and specify the apt path.
|
||||||
# enablesid=/usr/local/etc/snort/enablesid.conf
|
enablesid=/opt/so/pulledpork/etc/enablesid.conf
|
||||||
# dropsid=/usr/local/etc/snort/dropsid.conf
|
dropsid=/opt/so/pulledpork/dropsid.conf
|
||||||
# disablesid=/usr/local/etc/snort/disablesid.conf
|
disablesid=/opt/so/pulledpork/disablesid.conf
|
||||||
# modifysid=/usr/local/etc/snort/modifysid.conf
|
modifysid=/opt/so/pulledpork/modifysid.conf
|
||||||
|
|
||||||
# What is the base ruleset that you want to use, please uncomment to use
|
# What is the base ruleset that you want to use, please uncomment to use
|
||||||
# and see the README.RULESETS for a description of the options.
|
# and see the README.RULESETS for a description of the options.
|
||||||
# Note that setting this value will disable all ET rulesets if you are
|
# Note that setting this value will disable all ET rulesets if you are
|
||||||
# Running such rulesets
|
# Running such rulesets
|
||||||
# ips_policy=security
|
# ips_policy=security
|
||||||
|
|
||||||
####### Remember, a number of these values are optional.. if you don't
|
####### Remember, a number of these values are optional.. if you don't
|
||||||
####### need to process so_rules, simply comment out the so_rule section
|
####### need to process so_rules, simply comment out the so_rule section
|
||||||
####### you can also specify -T at runtime to process only GID 1 rules.
|
####### you can also specify -T at runtime to process only GID 1 rules.
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user