# Config file for pulledpork # Be sure to read through the entire configuration file # If you specify any of these items on the command line, it WILL take # precedence over any value that you specify in this file! ####### ####### The below section defines what your oinkcode is (required for ####### VRT rules), defines a temp path (must be writable) and also ####### defines what version of rules that you are getting (for your ####### snort version and subscription etc...) ####### # You can specify one or as many rule_urls as you like, they # must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify # each on an individual line, or you can specify them in a , separated list # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456 # note that the url, rule file, and oinkcode itself are separated by a pipe | # i.e. url|tarball|123456789, rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| # NEW Community ruleset: rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST| # This format MUST be followed to let pulledpork know that this is a blacklist rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open # URL for rule documentation! (slow to process) rule_url=https://www.snort.org/reg-rules/|opensource.gz| #rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open # THE FOLLOWING URL is for etpro downloads, note the tarball name change! # and the et oinkcode requirement! #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz| # NOTE above that the VRT snortrules-snapshot does not contain the version # portion of the tarball name, this is because PP now automatically populates # this value for you, if, however you put the version information in, PP will # NOT populate this value but will use your value! # Specify rule categories to ignore from the tarball in a comma separated list # with no spaces. There are four ways to do this: # 1) Specify the category name with no suffix at all to ignore the category # regardless of what rule-type it is, ie: netbios # 2) Specify the category name with a '.rules' suffix to ignore only gid 1 # rulefiles located in the /rules directory of the tarball, ie: policy.rules # 3) Specify the category name with a '.preproc' suffix to ignore only # preprocessor rules located in the /preproc_rules directory of the tarball, # ie: sensitive-data.preproc # 4) Specify the category name with a '.so' suffix to ignore only shared-object # rules located in the /so_rules directory of the tarball, ie: netbios.so # The example below ignores dos rules wherever they may appear, sensitive- # data preprocessor rules, p2p so-rules (while including gid 1 p2p rules), # and netbios gid-1 rules (while including netbios so-rules): # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules # These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x. ignore=deleted.rules,experimental.rules,local.rules # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the # previous ignore line and uncomment the following! # ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data # What is our temp path, be sure this path has a bit of space for rule # extraction and manipulation, no trailing slash temp_path=/tmp ####### ####### The below section is for rule processing. This section is ####### required if you are not specifying the configuration using ####### runtime switches. Note that runtime switches do SUPERSEED ####### any values that you have specified here! ####### # What path you want the .rules file containing all of the processed # rules? (this value has changed as of 0.4.0, previously we copied # all of the rules, now we are creating a single large rules file # but still keeping a separate file for your so_rules! rule_path=/etc/snort/rules/snort.rules # What path you want the .rules files to be written to, this is UNIQUE # from the rule_path and cannot be used in conjunction, this is to be used with the # -k runtime flag, this can be set at runtime using the -K flag or specified # here. If specified here, the -k option must also be passed at runtime, however # specifying -K at runtime forces the -k option to also be set # out_path=/usr/local/etc/snort/rules/ # If you are running any rules in your local.rules file, we need to # know about them to properly build a sid-msg.map that will contain your # local.rules metadata (msg) information. You can specify other rules # files that are local to your system here by adding a comma and more paths... # remember that the FULL path must be specified for EACH value. # local_rules=/path/to/these.rules,/path/to/those.rules local_rules=/etc/snort/rules/local.rules # Where should I put the sid-msg.map file? sid_msg=/etc/snort/sid-msg.map # New for by2 and more advanced msg mapping. Valid options are 1 or 2 # specify version 2 if you are running barnyard2.2+. Otherwise use 1 sid_msg_version=1 # Where do you want me to put the sid changelog? This is a changelog # that pulledpork maintains of all new sids that are imported sid_changelog=/var/log/sid_changes.log # this value is optional ####### ####### The below section is for so_rule processing only. If you don't ####### need to use them.. then comment this section out! ####### Alternately, if you are not using pulledpork to process ####### so_rules, you can specify -T at runtime to bypass this altogether ####### # What path you want the .so files to actually go to *i.e. where is it # defined in your snort.conf, needs a trailing slash sorule_path=/usr/local/lib/snort_dynamicrules/ # Path to the snort binary, we need this to generate the stub files snort_path=/usr/local/bin/snort # We need to know where your snort.conf file lives so that we can # generate the stub files config_path=/etc/snort/snort.conf ##### Deprecated - The stubs are now categorically written to the single rule file! # sostub_path=/usr/local/etc/snort/rules/so_rules.rules # Define your distro, this is for the precompiled shared object libs! # Valid Distro Types: # Debian-5-0, Debian-6-0, # Ubuntu-8.04, Ubuntu-10-4 # Centos-4-8, Centos-5-4 # FC-12, FC-14, RHEL-5-5, RHEL-6-0 # FreeBSD-7-3, FreeBSD-8-1 # OpenBSD-4-8 # Slackware-13-1 distro=Ubuntu-10-4 ####### This next section is optional, but probably pretty useful to you. ####### Please read thoroughly! # If you are using IP Reputation and getting some public lists, you will probably # want to tell pulledpork where your blacklist file lives, PP automagically will # de-dupe any duplicate IPs from different sources. black_list=/etc/snort/rules/iplists/default.blacklist # IP Reputation does NOT require a full snort HUP, it introduces a concept whereby # the IP list can be reloaded while snort is running through the use of a control # socket. Please be sure that you built snort with the following optins: # -enable-shared-rep and --enable-control-socket. Be sure to read about how to # configure these! The following option tells pulledpork where to place the version # file for use with control socket ip list reloads! # This should be the same path where your black_list lives! IPRVersion=/etc/snort/rules/iplists # The following option tells snort where the snort_control tool is located. snort_control=/usr/local/bin/snort_control # What do you want to backup and archive? This is a comma separated list # of file or directory values. If a directory is specified, PP will recurse # through said directory and all subdirectories to archive all files. # The following example backs up all snort config files, rules, pulledpork # config files, and snort shared object binary rules. # backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/ # what path and filename should we use for the backup tarball? # note that an epoch time value and the .tgz extension is automatically added # to the backup_file name on completeion i.e. the written file is: # pp_backup.1295886020.tgz # backup_file=/tmp/pp_backup # Where do you want the signature docs to be copied, if this is commented # out then they will not be copied / extracted. Note that extracting them # will add considerable runtime to pulledpork. # docs=/path/to/base/www # The following option, state_order, allows you to more finely control the order # that pulledpork performs the modify operations, specifically the enablesid # disablesid and dropsid functions. An example use case here would be to # disable an entire category and later enable only a rule or two out of it. # the valid values are disable, drop, and enable. # state_order=disable,drop,enable # Define the path to the pid files of any running process that you want to # HUP after PP has completed its run. # pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid # and so on... # pid_path=/var/run/snort_eth0.pid # This defines the version of snort that you are using, for use ONLY if the # proper snort binary is not on the system that you are fetching the rules with # This value MUST contain all 4 minor version # numbers. ET rules are now also dependant on this, verify supported ET versions # prior to simply throwing rubbish in this variable kthx! # snort_version=2.9.0.0 # Here you can specify what rule modification files to run automatically. # simply uncomment and specify the apt path. enablesid=/etc/snort/enablesid.conf dropsid=/etc/snort/dropsid.conf disablesid=/etc/snort/disablesid.conf modifysid=/etc/snort/modifysid.conf # What is the base ruleset that you want to use, please uncomment to use # and see the README.RULESETS for a description of the options. # Note that setting this value will disable all ET rulesets if you are # Running such rulesets # ips_policy=security ####### Remember, a number of these values are optional.. if you don't ####### need to process so_rules, simply comment out the so_rule section ####### you can also specify -T at runtime to process only GID 1 rules. version=0.7.0