1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
daq =
{
modules =
{
{
name = 'afpacket',
mode = 'inline',
},
},
module_dirs =
{
'/usr/lib/daq',
},
}
reputation =
{
blocklist = BLACK_LIST_PATH .. '/default.blocklist',
allowlist = WHITE_LIST_PATH .. '/default.allowlist',
priority = allowlist,
allow = do_not_block,
}
ips =
{
mode = inline,
-- use this to enable decoder and inspector alerts
enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
include = RULE_PATH .. '/snort.rules',
variables = default_variables,
-- pulledpork normally includes local.rules in snort.rules
-- otherwise you may add line to include local.rules too
--rules = [[
-- include $RULE_PATH/local.rules
--]]
}
normalizer =
{
tcp =
{
ips = true,
}
}
file_policy =
{
enable_type = true,
enable_signature = true,
rules = { use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } }
}
-- Enable hyperscan for IPS, AppID, HTTP inspection, pcre/regex matches
search_engine = { search_method = "hyperscan" }
detection = { hyperscan_literals = true, pcre_to_regex = true }
-- Enable ZIP, PDF and SWF decompression in http_inspect and smtp
--http_inspect.decompress_pdf = true
--http_inspect.decompress_swf = true
--http_inspect.decompress_zip = true
--smtp.decompress_pdf = true
--smtp.decompress_swf = true
--smtp.decompress_zip = true
-- Logging
-- Enable logging of email headers and attachments in smtp
--smtp.log_email_hdrs = true
--smtp.log_filename = true
--smtp.log_mailfrom = true
--smtp.log_rcptto = true
unified2 =
{
limit = 128,
}
alert_fast =
{
file = true,
packet = false,
limit = 128,
}
file_log =
{
log_pkt_time = true,
log_sys_time = false,
}
alert_json =
{
file = true,
limit = 128,
fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',
}
-- OpenAppID
appid =
{
app_detector_dir = '/usr/lib/openappid',
log_stats = true,
app_stats_period = 60,
}
|