# Config file for pulledpork

# Be sure to read through the entire configuration file

# If you specify any of these items on the command line, it WILL take 

# precedence over any value that you specify in this file!



#######

#######  The below section defines what your oinkcode is (required for 

#######  VRT rules), defines a temp path (must be writable) and also 

#######  defines what version of rules that you are getting (for your 

#######  snort version and subscription etc...)

####### 



# The rule_url value replaces the old base_url and rule_file configuration

# options.  You can now specify one or as many rule_urls as you like, they 

# must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You can specify

# each on an individual line, or you can specify them in a , separated list

# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456

# note that the url, rule file, and oinkcode itself are separated by a pipe |

# i.e. url|tarball|123456789, 

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>;



# get the rule docs!

rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>;

rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open



# THE FOLLOWING URL is for etpro downloads, note the tarball name change!

# and the et oinkcode requirement!

rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et oinkcode>



# NOTE above that the VRT snortrules-snapshot does not contain the version

# portion of the tarball name, this is because PP now automatically populates

# this value for you, if, however you put the version information in, PP will

# NOT populate this value but will use your value!

#

# Specify rule categories to ignore from the tarball in a comma separated list

# with no spaces.  There are four ways to do this:

# 1) Specify the category name with no suffix at all to ignore the category

#    regardless of what rule-type it is, ie: netbios

# 2) Specify the category name with a '.rules' suffix to ignore only gid 1

#    rulefiles located in the /rules directory of the tarball, ie: policy.rules

# 3) Specify the category name with a '.preproc' suffix to ignore only

#    preprocessor rules located in the /preproc_rules directory of the tarball,

#    ie: sensitive-data.preproc

# 4) Specify the category name with a '.so' suffix to ignore only shared-object

#    rules located in the /so_rules directory of the tarball, ie: netbios.so

# The example below ignores dos rules wherever they may appear, sensitive-

# data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),

# and netbios gid-1 rules (while including netbios so-rules):

# ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules

# These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.

ignore=deleted.rules,experimental.rules,local.rules

# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the

# previous ignore line and uncomment the following!

# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data



# Define your Oinkcode - DEPRICATED, SEE RULE_URL

oinkcode=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



# What is our temp path, be sure this path has a bit of space for rule 

# extraction and manipulation, no trailing slash

temp_path=/tmp



#######

#######  The below section is for rule processing.  This section is 

#######  required if you are not specifying the configuration using

#######  runtime switches.  Note that runtime switches do SUPERSEED 

#######  any values that you have specified here!

#######



# What path you want the .rules file containing all of the processed 

# rules? (this value has changed as of 0.4.0, previously we copied 

# all of the rules, now we are creating a single large rules file

# but still keeping a separate file for your so_rules!

rule_path=/etc/snort.d/rules



# What path you want the .rules files to be written to, this is UNIQUE

# from the rule_path and cannot be used in conjunction, this is to be used with the

# -k runtime flag, this can be set at runtime using the -K flag or specified

# here.  If specified here, the -k option must also be passed at runtime, however

# specifying -K <path> at runtime forces the -k option to also be set

# out_path=/etc/snort.d/rules/



# If you are running any rules in your local.rules file, we need to

# know about them to properly build a sid-msg.map that will contain your

# local.rules metadata (msg) information.  You can specify other rules

# files that are local to your system here by adding a comma and more paths...

# remember that the FULL path must be specified for EACH value.

# local_rules=/path/to/these.rules,/path/to/those.rules

# local_rules=/etc/snort.d/rules/local.rules

local_rules=/etc/snort.d/rules/gpl/attack_response.rules,/etc/snort.d/rules/gpl/chat.rules,/etc/snort.d/rules/gpl/dns.rules,/etc/snort.d/rules/gpl/exploit.rules,/etc/snort.d/rules/gpl/ftp.rules,/etc/snort.d/rules/gpl/icmp_info.rules,/etc/snort.d/rules/gpl/imap.rules,/etc/snort.d/rules/gpl/misc.rules,/etc/snort.d/rules/gpl/netbios.rules,/etc/snort.d/rules/gpl/p2p.rules,/etc/snort.d/rules/gpl/pop3.rules,/etc/snort.d/rules/gpl/rpc.rules,/etc/snort.d/rules/gpl/scan.rules,/etc/snort.d/rules/gpl/shellcode.rules,/etc/snort.d/rules/gpl/smtp.rules,/etc/snort.d/rules/gpl/snmp.rules,/etc/snort.d/rules/gpl/sql.rules,/etc/snort.d/rules/gpl/tftp.rules,/etc/snort.d/rules/gpl/web_client.rules,/etc/snort.d/rules/gpl/web_server.rules,/etc/snort.d/rules/gpl/web_specific_apps.rules



# Where should I put the sid-msg.map file?

sid_msg=/etc/snort.d/sid-msg.map



# Where do you want me to put the sid changelog?  This is a changelog 

# that pulledpork maintains of all new sids that are imported

sid_changelog=/var/log/sid_changes.log

# this value is optional



#######

#######  The below section is for so_rule processing only.  If you don't

#######  need to use them.. then comment this section out!

#######  Alternately, if you are not using pulledpork to process 

#######  so_rules, you can specify -T at runtime to bypass this altogether

#######



# What path you want the .so files to actually go to *i.e. where is it

# defined in your snort.conf, needs a trailing slash

sorule_path=/etc/snort.d/rules/



# Path to the snort binary, we need this to generate the stub files

snort_path=/usr/sbin/snort



# We need to know where your snort.conf file lives so that we can

# generate the stub files

config_path=/etc/snort.conf



# This is the file that contains all of the shared object rules that pulledpork

# has processed, note that this has changed as of 0.4.0 just like the rules_path!

sostub_path=/etc/snort.d/rules/so_rules.rules



# Define your distro, this is for the precompiled shared object libs!

# Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04

# CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4

# FC-5, FC-9, FC-11, FC-12, RHEL-5.0

# FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0, FreeBSD-8-1

# OpenSUSE-11-3

distro=Centos-6-4



#######  This next section is optional, but probably pretty useful to you.

#######  Please read thoroughly!



# What do you want to backup and archive?  This is a comma separated list

# of file or directory values.  If a directory is specified, PP will recurse

# through said directory and all subdirectories to archive all files.

# The following example backs up all snort config files, rules, pulledpork

# config files, and snort shared object binary rules.

backup=/etc/snort.d,/etc/pulledpork,/usr/lib/snort_dynamicrules/



# what path and filename should we use for the backup tarball?

# note that an epoch time value and the .tgz extension is automatically added

# to the backup_file name on completeion i.e. the written file is:

# pp_backup.1295886020.tgz

backup_file=/tmp/pp_backup



# Where do you want the signature docs to be copied, if this is commented 

# out then they will not be copied / extracted.  Note that extracting them 

# will add considerable runtime to pulledpork.

# docs=/path/to/base/www



# The following option, state_order, allows you to more finely control the order

# that pulledpork performs the modify operations, specifically the enablesid

# disablesid and dropsid functions.  An example use case here would be to

# disable an entire category and later enable only a rule or two out of it.

# the valid values are disable, drop, and enable.

# state_order=disable,drop,enable





# Define the path to the pid files of any running process that you want to

# HUP after PP has completed its run.

# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid

# and so on...

# pid_path=/var/run/snort_eth0.pid



# This defines the version of snort that you are using, for use ONLY if the 

# proper snort binary is not on the system that you are fetching the rules with

# Defining this value will set the Textonly flag, and thus will NOT allow

# you to use shared object rules.  This value MUST contain all 4 minor version

# numbers. ET rules are now also dependant on this, verify supported ET versions

# prior to simply throwing rubbish in this variable kthx!

# snort_version=2.9.0.0



# Here you can specify what rule modification files to run automatically.

# simply uncomment and specify the apt path.

# enablesid=/usr/local/etc/snort/enablesid.conf

# dropsid=/usr/local/etc/snort/dropsid.conf

# disablesid=/usr/local/etc/snort/disablesid.conf

# modifysid=/usr/local/etc/snort/modifysid.conf



# What is the base ruleset that you want to use, please uncomment to use

# and see the README.RULESETS for a description of the options.  

# Note that setting this value will disable all ET rulesets if you are 

# Running such rulesets

# ips_policy=security



####### Remember, a number of these values are optional.. if you don't 

####### need to process so_rules, simply comment out the so_rule section

####### you can also specify -T at runtime to process only GID 1 rules.



version=0.6.0