path: root/pulledpork3.conf

# Which Snort/Talos rulesets do you want to download (recomended: choose only one)
community_ruleset = true
registered_ruleset = false
LightSPD_ruleset = false

# Your Snort oinkcode is required for snort/talos Subscription, Light_SPD, and Registered rulesets
oinkcode = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


# which blocklists to download
snort_blocklist = false
et_blocklist = true

# additional blocklists to download from a URL, comma-separated
#blocklist_urls = http://a.b.com/list.list

# Where to write the blocklist file (single file containing all blocklists downloaded)
blocklist_path = /etc/snort/lists/default.blocklist


# PulledPork needs to know which version of Snort you are running in most instances.
# you can do this by giving an explict snort_version or by providing the path (snort_path)
# to the snort binary.  If you don't do either of these, PulledPork will try to determine
# the version of snort by searching for the the binary on your system path.
# This is used to know which registere ruleset to download, the correct files from the LightSPD
# ruleset, and will be used to compile .so rules if you don't provide the distro.

# Where is the Snort Executable located (if not on the system path)
#snort_path = /usr/local/bin/snort

# Which version of snort are you running (optional, not usually needed.). This version will over-rule snort_path
#snort_version = 3.1.0.0

# Where is the PID file for your running snort process/daemon (required to tell snort to reload the
# new rules after rules are modified) This is optional, but recomended.
# the pid file is written by snort in Daemon mode or if you run snort with the --create-pidfile flag.
# the pid file is named snort.pid and is saved in the logging directory (-l flag)
# (no windows support at this time for this feature)
#pid_path=/var/log/snort/snort.pid


# Enable / Disable rules based on the level of functionality/security you want.
# must be one of: connectivity, balanced, security, max-detect, none
# default is connectivity. Will not work with community ruleset.
# https://www.snort.org/faq/why-are-rules-commented-out-by-default
ips_policy = balanced

# Rule Output mode:
# simple (just a single .rules file, with any rule that's not commented out enabled)
# policy (rules file with all rules enabled, using a policy file to enable/disable rules)
rule_mode = simple

# policy path is reqiured if you are using rule_mode = policy
#policy_path = c:\snort\rules\pulledpork.states

# where to save our single combined rule file (This is required, and needs to be an absolute path):
rule_path = /etc/snort/rules/snort.rules

# Local Rules files
# Specify local rules files, comma-separated
#local_rules = /usr/local/etc/rules/local.rules, /another/path/to/more/rules
local_rules = /etc/snort/rules/local.rules

# Rules files to ignore
# includes.rules and snort3-deleted.rules are recommended to always be ignored
#  NOTE: the old "ignore" setting name (from Perl PulledPork) is also accepted here
#        if both are used, the values are combined and de-duped
ignored_files = includes.rules, snort3-deleted.rules

# do you want rules that are disabled to be included when writing rules to rule_path?
# defaults to false. This is ignored if rule_mode = policy, since the policy determines which 
# rules are written
include_disabled_rules = false

# where should so rules be saved
# so rules will only be processed if this is uncommented
#sorule_path = /etc/snort/so_rules/

# What Distro are you running?  This must match one of the supported distros:
# centos-x64, debian-x64, fc-x64, opensuse-x64, ubuntu-x64
# disable this entry to compile rules manually (not yet supported)
#distro = ubuntu-x64

# do you want all the different policys files written to a local directory (for advanced users)
#policies_path = /etc/snort/rules/

# WARNING: RULE MODIFICATION WITH THESE FILES IS PARTIALLY IMPMEMENTED
#   The code for this functionality is experimental, and does not handle GID:SID Ranges
#   or CATEGORIES yet (VRT- or ET- or Custom-)
#   you can use PulledPork2 compatable files / formatting for these files 
#
# Here you can specify what rule modification files to run automatically.
# simply uncomment and specify the apt path.
# enablesid=/etc/pulledpork/enablesid.conf
# dropsid=/etc/pulledpork/dropsid.conf
# disablesid=/etc/pulledpork/disablesid.conf
# WARNING: RULE MODIFICATION with modifysid IS NOT IMPLEMENTED YET
# modifysid=/etc/pulledpork/modifysid.conf

# WARNING: RULE MODIFICATION IS NOT IMPLEMENTED YET
# The following option, state_order, allows you to more finely control the order
# that pulledpork performs the modify operations, specifically the enablesid
# disablesid and dropsid functions.  An example use case here would be to
# disable an entire category and later enable only a rule or two out of it.
# the valid values are disable, drop, and enable.
# state_order=disable,drop,enable

# PulledPork will use the system default temporary working directory, unless you specify a different one below.
# (this is not common).  PulledPork will create a working folder named PulledPork-YYYY.MM.DD-HH.MM.SS in the
# temp location. This is useful during troubleshooting PulledPork3 with the -k (keep temp directory) flag
#temp_path = /tmp

# Pulledpork3 configuration version variable: may be used in future
CONFIGURATION_NUMBER = 3.0.0.4