diff options
Diffstat (limited to 'local.lua')
| -rw-r--r-- | local.lua | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/local.lua b/local.lua new file mode 100644 index 000000000000..1df8d593595b --- /dev/null +++ b/local.lua @@ -0,0 +1,97 @@ +daq = +{ + modules = + { + { + name = 'nfq', + mode = 'inline', + }, + }, + module_dirs = + { + '/usr/lib/daq', + }, +} + +ips = +{ + mode = inline, + + -- use this to enable decoder and inspector alerts + --enable_builtin_rules = true, + + -- use include for rules files; be sure to set your path + -- note that rules files can include other rules files + --include = 'snort3-community.rules', + + variables = default_variables, + + -- pulledpork normally includes local.rules in snort.rules + -- otherwise you may add line to include local.rules too + rules = [[ + include $RULE_PATH/snort.rules + ]] +} + +normalizer = +{ + tcp = + { + ips = true, + } +} + +file_id = +{ + enable_type = true, + enable_signature = true, + file_rules = file_magic, + file_policy = + { + { use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } } + } +} + +-- Enable hyperscan for IPS, AppID, HTTP inspection, pcre/regex matches +search_engine = { search_method = "hyperscan" } +detection = { hyperscan_literals = true, pcre_to_regex = true } + +-- Enable ZIP, PDF and SWF decompression in http_inspect and smtp +--http_inspect.decompress_pdf = true +--http_inspect.decompress_swf = true +--http_inspect.decompress_zip = true +--smtp.decompress_pdf = true +--smtp.decompress_swf = true +--smtp.decompress_zip = true + +-- Logging + +-- Enable logging of email headers and attachments in smtp +--smtp.log_email_hdrs = true +--smtp.log_filename = true +--smtp.log_mailfrom = true +--smtp.log_rcptto = true + +unified2 = +{ + limit = 128, +} + +alert_fast = +{ + file = true, +} + +file_log = +{ + log_pkt_time = true, + log_sys_time = false, +} + +-- OpenAppID +appid = +{ + app_detector_dir = '/usr/lib/openappid', + log_stats = true, + app_stats_period = 60, +} |