diff options
Diffstat (limited to 'local.lua')
| -rw-r--r-- | local.lua | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/local.lua b/local.lua index 2b6132fdb0ef..e83fd12ba1c4 100644 --- a/local.lua +++ b/local.lua @@ -13,24 +13,32 @@ daq = }, } +reputation = +{ + blocklist = BLACK_LIST_PATH .. '/default.blocklist', + allowlist = WHITE_LIST_PATH .. '/default.allowlist', + priority = allowlist, + allow = do_not_block, +} + ips = { mode = inline, -- use this to enable decoder and inspector alerts - --enable_builtin_rules = true, + enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files - --include = 'snort3-community.rules', + include = RULE_PATH .. '/snort.rules', variables = default_variables, -- pulledpork normally includes local.rules in snort.rules -- otherwise you may add line to include local.rules too - rules = [[ - include $RULE_PATH/snort.rules - ]] + --rules = [[ + -- include $RULE_PATH/local.rules + --]] } normalizer = @@ -41,15 +49,11 @@ normalizer = } } -file_id = +file_policy = { enable_type = true, enable_signature = true, - file_rules = file_magic, - file_policy = - { - { use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } } - } + rules = { use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } } } -- Enable hyperscan for IPS, AppID, HTTP inspection, pcre/regex matches @@ -80,6 +84,8 @@ unified2 = alert_fast = { file = true, + packet = false, + limit = 128, } file_log = @@ -88,6 +94,13 @@ file_log = log_sys_time = false, } +alert_json = +{ + file = true, + limit = 128, + fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp', +} + -- OpenAppID appid = { |