# This is the default Debian configuration for oinkmaster # Fore more information on how to customise this file with # further options please check /usr/share/doc/oinkmater/examples # for the original (bigger and more verbose) configuration file. # ------------------------- # Location of rules archive # ------------------------- # NOTE: this might need to be changed based on the Snort version # you are running. This configuration files uses Snort 2.2.x #url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz url = http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8.tar.gz # For Snort 2.1 #url = http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz # For Snort 2.0 # url = http://www.snort.org/dl/rules/snortrules-snapshot-2_0.tar.gz # To use CVS snapshots # url = http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz # -------------------- # System configuration # -------------------- path = /sbin:/usr/sbin:/bin:/usr/bin # Use external binaries? By default we don't. use_external_bins = 1 # Temporary directory to use. The default configuration only allows # root to update the ruleset. # Note: If commented out will check environment variables TMP, # TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set. tmpdir = /var/run/oinkmaster # Umask to use while executing umask = 0027 # -------------------- # Extra configuration # -------------------- # Files in the archive matching this regular expression will be # checked for changes, and then updated or added if needed. # You can then choose to skip individual files by specifying # the "skipfile" keyword below. # Normally you shouldn't need to change this one. # (But if you do, make sure it's still a valid regexp.) update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ # Regexp of keywords that starts a snort rule. # May be useful if you create your own ruletypes and want those # lines to be regarded as rules as well. # rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic # If the number of rules files in the downloaded archive matching the # 'update_files' regexp is below min_files, or if the total number # of rules in it is below min_rules, the archive is regarded as # broken and the update is aborted with an error message. # Both are set to 1 by default (i.e. the archive is only regarded as # broken if it's totally empty). # min_files = 1 # min_rules = 1 # By default, a basic sanity check is performed on most paths/filenames to # see if they contain illegal characters that may screw things up. If this # check is too strict for your system (i.e. you get bogus "illegal # characters in filename" errors) and you're sure you want to disable # the check completely, set use_path_checks to 0. use_path_checks = 1 # You can include other files: # include foo.conf # -------------- # Rules handling # -------------- ####################################################################### # Files to totally skip (i.e. never update or check for changes) # # # # Syntax: skipfile filename # # or: skipfile filename1, filename2, filename3, ... # ####################################################################### # Ignore local.rules from the rules archive by default since we might # have put some local rules in our own local.rules and we don't want it to # get overwritten by the empty one from the archive after each update. skipfile local.rules # The file deleted.rules contains rules that have been deleted from other # files, so there is usually no point in updating it (although it may be # useful to watch for changes in it anyway since it sometimes contains # useful comments about *why* certain rules are deleted). skipfile deleted.rules # Also skip snort.conf by default since we don't want to overwrite our own # snort.conf if we have it in the same directory as the rules. If you # have your own production copy of snort.conf in another directory, it may # be really nice to check for changes in this file though, especially # since variables are sometimes added or modified and new/old files are # included/excluded. skipfile snort.conf # You may want to consider ignoring threshold.conf for the same reasons as # for snort.conf, i.e. if you customize it locally and don't want it to # become overwritten by the default one. It may be better to put local # thresholding/suppressing in some local file and still update and use # the official one though, in case important stuff is added to it some # day. We do update it by default, but it's your call. # skipfile threshold.conf ########################################################################## # SIDs to modify after each update (only for the skilled/stupid/brave). # # Don't use it unless you have to. There is nothing that stops you from # # modifying rules in such ways that they become invalid. # # If you just want to disable SIDs, please skip this section and have a # # look at the "disablesid" keyword below. # # # # You may specify multiple modifysid directives for the same SID (they # # will be processed in order of appearance), and you may also specify a # # list of SIDs on which the substitution should be applied. # # The wildcard ("*") can be used to apply the substitution on all rules # # regardless of the SID. # # # # Syntax: modifysid SID "replacethis" | "withthis" # # or: # # modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" # # or: # # modifysid * "replacethis" | "withthis" # # # # The strings within the quotes will simply be passed to a # # s/replacethis/withthis/ statement in Perl, so they must be valid # # regular expressions. The strings are case-sensitive and only the first # # occurrence will be replaced. If there are multiple occurrences you # # want replace, simply repeat the same modifysid line. # ########################################################################## ######################################################################## # SIDs to enable after each update. # # Will simply remove all the leading '#' for a specified SID (if it's # # a multi-line rule, the leading '#' for all lines are removed.) # # These will be processed after all the modifysid and disablesid # # statements. Using 'enablesid' on a rule that is not disabled is a # # NOOP. # # # # Syntax: enablesid SID # # or: enablesid SID1, SID2, SID3, ... # ######################################################################## ######################################################################## # SIDs to comment out, i.e. disable, after each update by placing a # # '#' in front of the rule (if it's a multi-line rule, it will be put # # in front of all lines). # # # # Syntax: disablesid SID # # or: disablesid SID1, SID2, SID3, ... # ########################################################################