# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ # # This file is pretty big by default, but don't worry. # The only things required are "path" and "update_files". You must also # set "url" to point to the correct rules archive for your version of # Snort, unless you prefer to specify this on the command line. # The rest in here is just a few recommended defaults, and examples # how to use all the other optional features and give some ideas how they # could be used. # Remember not to let untrusted users edit Oinkmaster configuration # files, as things like the PATH to use during execution is defined # in here. # Use "url = " to specify the location of the rules archive to # download. The url must begin with http://, https://, ftp://, file:// # or scp:// and end with .tar.gz or .tgz, and the file must be a # gzipped tarball what contains a directory named "rules". # You can also point to a local directory with dir://. # Multiple "url = " lines can be specified to grab multiple rules # archives from different locations. # # Note: if URL is specified on the command line, it overrides all # possible URLs specified in the configuration file(s). # # The location of the official Snort rules you should use depends # on which Snort version you run. Basically, you should go to # http://www.snort.org/rules/ and follow the instructions # there to pick the right URL for your version of Snort # (and remember to update the URL when upgrading Snort in the # future). You can of course also specify locations to third party # rules. # # As of March 2005, you must register on the Snort site to get access # to the official Snort rules. This will get you an "oinkcode". # You then specify the URL as # http://www.snort.org/pub-bin/oinkmaster.cgi// # For example, if your code is 5a081649c06a277e1022e1284b and # you use Snort 2.4, the url to use would be (without the wrap): # http://www.snort.org/pub-bin/oinkmaster.cgi/ # 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz # See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for # more information. url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz # URL examples follows. Replace with the code you get on the # Snort site in your registered user profile. # Example for Snort 2.4 # url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-2.4.tar.gz # Example for Snort-current ("current" means cvs snapshots). # url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-CURRENT.tar.gz # Example for Community rules # url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz # Example for rules from the Bleeding Snort project # url = http://www.bleedingsnort.com/bleeding.rules.tar.gz # If you prefer to download the rules archive from outside Oinkmaster, # you can then point to the file on your local filesystem by using # file://, for example: # url = file:///tmp/snortrules.tar.gz # In rare cases you may want to grab the rules directly from a # local directory (don't confuse this with the output directory). # url = dir:///etc/snort/src/rules # Example to use scp to copy the rules archive from another host. # Only OpenSSH is tested. See the FAQ for more information. # url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz # If you use -u scp://... and need to specify a private ssh key (passed # as -i to the scp command) you can specify it here or add an # entry in ~/.ssh/config for the Oinkmaster user as described in the # OpenSSH manual. # scp_key = /home/oinkmaster/oinkmaster_privkey # The PATH to use during execution. If you prefer to use external # binaries (i.e. use_external_bins=1, see below), tar and gzip must be # found, and also wget if downloading via ftp, http or https. All with # optional .exe suffix. If you're on Cygwin, make sure that the path # contains the Cygwin binaries and not the native Win32 binaries or # you will get problems. # Assume UNIX style by default: path = /bin:/usr/bin:/usr/local/bin:%%PREFIX%%/bin # Example if running native Win32 or standalone Cygwin: # path = c:\oinkmaster;c:\oinkmaster\bin # Example if running standalone Cygwin and you prefer Cygwin style path: # path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin # We normally use external binaries (wget, tar and gzip) since they're # already available on most systems and do a good job. If you have the # Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use # those instead if you like. You can set use_external_bins below to # choose which method you prefer. It's set to 0 by default on Win32 # (i.e. use Perl modules), and 1 on other systems (i.e. use external # binaries). The reason for that is that the required Perl modules # are included on Windows/ActivePerl 5.8.1+, so it's easier to use # those than to install the ported Unix tools. (Note that if you're # using scp to download the archive, external scp binary is still # used.) # use_external_bins = 0 # Temporary directory to use. This directory must exist when starting and # Oinkmaster will then create a temporary sub directory in here. # Keep it as a #comment if you want to use the default. # The default will be checked for in the environment variables TMP, # TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set. # Example for UNIX. # tmpdir = /home/oinkmaster/tmp/ # Example if running native Win32 or Cygwin. # tmpdir = c:\tmp # Example if running Cygwin and you prefer Cygwin style path. # tmpdir = /cygdrive/c/tmp # The umask to use during execution if you want it to be something # else than the current value when starting Oinkmaster. # This will affect the mode bits when writing new files. # Keep it commented out to keep your system's current umask. # umask = 0027 # Files in the archive(s) matching this regular expression will be # checked for changes, and then updated or added if needed. # All other files will be ignored. You can then choose to skip # individual files by specifying the "skipfile" keyword below. # Normally you shouldn't need to change this one. update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ # Regexp of keywords that starts a Snort rule. # May be useful if you create your own ruletypes and want those # lines to be regarded as rules as well. # rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic # If the number of rules files in the downloaded archive matching the # 'update_files' regexp is below min_files, or if the number # of rules is below min_rules, the rules are regarded as broken # and the update is aborted with an error message. # Both are set to 1 by default (i.e. the archive is only regarded as # broken if it's totally empty). # If you download from multiple URLs, the count is the total number # of files/rules across all archives. # min_files = 1 # min_rules = 1 # By default, a basic sanity check is performed on most paths/filenames # to see if they contain illegal characters that may screw things up. # If this check is too strict for your system (e.g. you get bogus # "illegal characters in filename" errors because of your local language # etc) and you're sure you want to disable the checks completely, # set use_path_checks to 0. # use_path_checks = 1 # If you want Oinkmaster to send a User-Agent HTTP header string # other than the default one for wget/LWP, set this variable. # user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) # You can include other files anywhere in here by using # "include ". will be parsed just like a regular # oinkmaster.conf as soon as the include statement is seen, and then # return and continue parsing the rest of the original file. If an # option is redefined, it will override the previous value. You can use # as many "include" statements as you wish, and also include even more # files from included files. Example to load stuff from "/etc/foo.conf". # include /etc/foo.conf ####################################################################### # Files to totally skip (i.e. never update or check for changes) # # # # Syntax: skipfile filename # # or: skipfile filename1, filename2, filename3, ... # ####################################################################### # Ignore local.rules from the rules archive by default since we might # have put some local rules in our own local.rules and we don't want it # to get overwritten by the empty one from the archive after each # update. skipfile local.rules # The file deleted.rules contains rules that have been deleted from # other files, so there is usually no point in updating it. skipfile deleted.rules # Also skip snort.conf by default since we don't want to overwrite our # own snort.conf if we have it in the same directory as the rules. If # you have your own production copy of snort.conf in another directory, # it may be really nice to check for changes in this file though, # especially since variables are sometimes added or modified and # new/old files are included/excluded. skipfile snort.conf # You may want to consider ignoring threshold.conf for the same reasons # as for snort.conf, i.e. if you customize it locally and don't want it # to become overwritten by the default one. It may be better to put # local thresholding/suppressing in some local file and still update # and use the official one though, in case important stuff is added to # it some day. We do update it by default, but it's your call. # skipfile threshold.conf # If you update from multiple URLs at the same time you may need to # ignore the sid-msg.map (and generate it yourself if you need one) as # it's usually included in each rules tarball. See the FAQ for more info. # skipfile sid-msg.map ########################################################################## # SIDs to modify after each update (only for the skilled/stupid/brave). # # Don't use it unless you have to. There is nothing that stops you from # # modifying rules in such ways that they become invalid or generally # # break things. You have been warned. # # If you just want to disable SIDs, please skip this section and have a # # look at the "disablesid" keyword below. # # # # You may specify multiple modifysid directives for the same SID (they # # will be processed in order of appearance), and you may also specify a # # list of SIDs on which the substitution should be applied. # # If the argument is in the form something.something it's regarded # # as a filename and the substitution will apply on all rules in that # # file. The wildcard ("*") can be used to apply the substitution on all # # rules regardless of the SID or file. Please avoid using #comments # # at the end of modifysid lines, they may confuse the parser in some # # situations. # # # # Syntax: # # modifysid SID "replacethis" | "withthis" # # or: # # modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" # # or: # # modifysid file "replacethis" | "withthis" # # or: # # modifysid * "replacethis" | "withthis" # # # # The strings within the quotes will basically be passed to a # # s/replacethis/withthis/ statement in Perl, so they must be valid # # regular expressions. The strings are case-insensitive and only the # # first occurrence will be replaced. If there are multiple occurrences # # you want to replace, simply repeat the same modifysid line. # # As the strings are regular expressions, you MUST escape special # # characters like $ \ / ( ) | by prepending a "\" to them. # # # # If you specify a modifysid statement for a multi-line rule, Oinkmaster # # will first translate the rule into a single-line version and then # # perform the substitution, so you don't have to care about the trailing # # backslashes and newlines. # # # # If you use backreference variables in the substitution expression, # # it's strongly recommended to specify them as ${1} instead of $1 and so # # on, to avoid parsing confusion with unexpected results in some # # situations. Note that modifysid statements will process both active # # and inactive (disabled) rules. # # # # You may want to check out README.templates and template-examples.conf # # to find how you can simplify the modifysid usage by using templates. # ########################################################################## # Example to enable a rule (in this case SID 1325) that is disabled by # default, by simply replacing leading "#alert" with "alert". # (You should really use 'enablesid' for this though.) # Oinkmaster removes whitespaces next to the leading "#" so you don't # have to worry about that, but be careful about possible whitespace in # other places when writing the regexps. # modifysid 1325 "^#alert" | "alert" # You could also do this to enable it no matter what type of rule it is # (alert, log, pass, etc). # modifysid 1325 "^#" | "" # Example to add "tag" stuff to SID 1325. # modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;" # Example to make SID 1378 a 'drop' rule (valid if you're running # Snort_inline). # modifysid 1378 "^alert" | "drop" # Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET # in SID 302. # modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET" # You can also specify that a substitution should apply on multiple SIDs. # modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET" # You can take advantage of the fact that it's regular expressions and # do more complex stuff. This example (for Snort_inline) adds a 'replace' # statement to SID 1324 that replaces "/bin/sh" with "/foo/sh". # modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \ # "${1} replace:"\/foo\/sh";" # If you for some reason would like to add a comment inside the actual # rules file, like the reason why you disabled this rule, you can do # like this (you would normally add such comments in oinkmaster.conf # though). # modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}" # Here is an example that is actually useful. Let's say you don't care # about incoming welchia pings (detected by SID 483 at the time of # writing) but you want to know when infected hosts on your network # scans hosts on the outside. (Remember that watching for outgoing # malicious packets is often just as important as watching for incoming # ones, especially in this case.) The rule currently looks like # "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..." # but we want to switch that so it becomes # "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...". # Here is how it could be done. # modifysid 483 \ # "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \ # "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}" # The wildcard (modifysid * ...) can be used to do all kinds of # interesting things. The substitution expression will be applied on all # matching rules. First, a silly example to replace "foo" with "bar" in # all rules (that have the string "foo" in them, that is.) # modifysid * "foo" | "bar" # If you for some reason don't want to use the stream preprocessor to # match established streams, you may want to replace the 'flow' # statement with 'flags:A+;' in all those rules. # modifysid * "flow:[a-z,_ ]+;" | "flags:A+;" # Example to convert all rules of classtype attempted-admin to 'drop' # rules (for Snort_inline only, obviously). # modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}" # This one will append some text to the 'msg' string for all rules that # have the 'tag' keyword in them. # modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \ # "${1}, going to tag this baby"${2}" # There may be times when you want to replace multiple occurrences of a # certain keyword/string in a rule and not just the first one. To # replace the first two occurrences of "foo" with "bar" in SID 100, # simply repeat the modifysid statement: # modifysid 100 "foo" | "bar" # modifysid 100 "foo" | "bar" # Or you can even specify a SID list but repeat the same SID as many # times as required, like: # modifysid 100,100,100 "foo" | "bar" # Enable all rules in the file exploit.rules. # modifysid exploit.rules "^#" | "" # Enable all rules in exploit.rules, icmp-info.rules and also SID 1171. # modifysid exploit.rules, snmp.rules, 1171 "^#" | "" ######################################################################## # SIDs that we don't want to update. # # If you for some reason don't want a specific rule to be updated # # (e.g. you made local modifications to it and you never want to # # update it and don't care about changes in the official version), you # # can specify a "localsid" statement for it. This means that the old # # version of the rule (i.e. the one in the rules file on your # # harddrive) is always kept, regardless if the official version has # # been updated. Please do not use this feature unless in special # # cases as it's easy to end up with many signatures that aren't # # maintained anymore. See the FAQ for details about this and hints # # about better solutions regarding customization of rules. # # # # Syntax: localsid SID # # or: localsid SID1, SID2, SID3, ... # ######################################################################## # Example to never update SID 1325. # localsid 1325 ######################################################################## # SIDs to enable after each update. # # Will simply remove all the leading '#' for a specified SID (if it's # # a multi-line rule, the leading '#' for all lines are removed.) # # These will be processed after all the modifysid and disablesid # # statements. Using 'enablesid' on a rule that is not disabled is a # # NOOP. # # # # Syntax: enablesid SID # # or: enablesid SID1, SID2, SID3, ... # ######################################################################## # Example to enable SID 1325. # enablesid 1325 ######################################################################## # SIDs to comment out, i.e. disable, after each update by placing a # # '#' in front of the rule (if it's a multi-line rule, it will be put # # in front of all lines). # # # # Syntax: disablesid SID # # or: disablesid SID1, SID2, SID3, ... # ######################################################################## # You can specify one SID per line. # disablesid 1 # disablesid 2 # disablesid 3 # And also as comma-separated lists. # disablesid 4,5,6 # It's a good idea to also add comment about why you disable the sid: # disablesid 1324 # 20020101: disabled this SID just because I can