1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
daq =
{
modules =
{
{
name = 'nfq',
mode = 'inline',
},
},
module_dirs =
{
'/usr/lib/daq',
},
}
ips =
{
mode = inline,
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
--include = 'snort3-community.rules',
variables = default_variables,
-- pulledpork normally includes local.rules in snort.rules
-- otherwise you may add line to include local.rules too
rules = [[
include $RULE_PATH/snort.rules
]]
}
normalizer =
{
tcp =
{
ips = true,
}
}
file_id =
{
enable_type = true,
enable_signature = true,
file_rules = file_magic,
file_policy =
{
{ use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } }
}
}
-- Enable hyperscan for IPS, AppID, HTTP inspection, pcre/regex matches
search_engine = { search_method = "hyperscan" }
detection = { hyperscan_literals = true, pcre_to_regex = true }
-- Enable ZIP, PDF and SWF decompression in http_inspect and smtp
--http_inspect.decompress_pdf = true
--http_inspect.decompress_swf = true
--http_inspect.decompress_zip = true
--smtp.decompress_pdf = true
--smtp.decompress_swf = true
--smtp.decompress_zip = true
-- Logging
-- Enable logging of email headers and attachments in smtp
--smtp.log_email_hdrs = true
--smtp.log_filename = true
--smtp.log_mailfrom = true
--smtp.log_rcptto = true
unified2 =
{
limit = 128,
}
alert_fast =
{
file = true,
}
file_log =
{
log_pkt_time = true,
log_sys_time = false,
}
-- OpenAppID
appid =
{
app_detector_dir = '/usr/lib/openappid',
log_stats = true,
app_stats_period = 60,
}
|