From 08abad747d9e9de3d97685a7bb7c0548b4d9f183 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 19 Feb 2021 14:59:27 -0500 Subject: [PATCH] Fix name and update examples --- salt/idstools/sorules/filer.rules | 3 --- salt/idstools/sorules/filter.rules | 11 +++++++++++ 2 files changed, 11 insertions(+), 3 deletions(-) delete mode 100644 salt/idstools/sorules/filer.rules create mode 100644 salt/idstools/sorules/filter.rules diff --git a/salt/idstools/sorules/filer.rules b/salt/idstools/sorules/filer.rules deleted file mode 100644 index 8c761bbab..000000000 --- a/salt/idstools/sorules/filer.rules +++ /dev/null @@ -1,3 +0,0 @@ -# Start the filters at sid 1200000 -# Example of filtering out google.com from being dns logged. -#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;) \ No newline at end of file diff --git a/salt/idstools/sorules/filter.rules b/salt/idstools/sorules/filter.rules new file mode 100644 index 000000000..9243e0f04 --- /dev/null +++ b/salt/idstools/sorules/filter.rules @@ -0,0 +1,11 @@ +# Start the filters at sid 1200000 +# Example of filtering out *google.com from being in the dns log. +#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;) +# Example of filtering out *google.com from being in the http log. +#config http any any -> any any (http.host; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200001;) +# Example of filtering out someuseragent from being in the http log. +#config http any any -> any any (http.user_agent; content:"someuseragent"; config: logging disable, type tx, scope tx; sid:1200002;) +# Example of filtering out Google's certificate from being in the ssl log. +#config tls any any -> any any (tls.fingerprint; content:"4f:a4:5e:58:7e:d9:db:20:09:d7:b6:c7:ff:58:c4:7b:dc:3f:55:b4"; config: logging disable, type tx, scope tx; sid:1200003;) +# Example of filtering out a md5 of a file from being in the files log. +#config fileinfo any any -> any any (fileinfo.filemd5; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200004;)