# Which Snort/Talos rulesets do you want to download (recomended: choose only one) community_ruleset = false registered_ruleset = false LightSPD_ruleset = true # Your Snort oinkcode is required for snort/talos Subscription, Light_SPD, and Registered rulesets oinkcode = # which blocklists to download snort_blocklist = false et_blocklist = true # additional blocklists to download from a URL, comma-separated blocklist_urls = https://www.neblink.net/blocklist/IP-Blocklist-clean.txt # Where to write the blocklist file (single file containing all blocklists downloaded) blocklist_path = /usr/local/etc/snort/lists/reputation.blacklist # PulledPork needs to know which version of Snort you are running in most instances. # you can do this by giving an explict snort_version or by providing the path (snort_path) # to the snort binary. If you don't do either of these, PulledPork will try to determine # the version of snort by searching for the the binary on your system path. # This is used to know which registere ruleset to download, the correct files from the LightSPD # ruleset, and will be used to compile .so rules if you don't provide the distro. # Where is the Snort Executable located (if not on the system path) snort_path = /usr/local/bin/snort # Which version of snort are you running (optional, not usually needed.). This version will over-rule snort_path #snort_version = 3.1.0.0 # Where is the PID file for your running snort process/daemon (required to tell snort to reload the # new rules after rules are modified) This is optional, but recomended. # the pid file is written by snort in Daemon mode or if you run snort with the --create-pidfile flag. # the pid file is named snort.pid and is saved in the logging directory (-l flag) # (no windows support at this time for this feature) pid_path=/var/log/snort/snort.pid # Enable / Disable rules based on the level of functionality/security you want. # must be one of: connectivity, balanced, security, max-detect, none # default is connectivity. Will not work with community ruleset. # https://www.snort.org/faq/why-are-rules-commented-out-by-default ips_policy = balanced # Rule Output mode: # simple (just a single .rules file, with any rule that's not commented out enabled) # policy (rules file with all rules enabled, using a policy file to enable/disable rules) rule_mode = simple # policy path is reqiured if you are using rule_mode = policy #policy_path = c:\snort\rules\pulledpork.states # where to save our single combined rule file (This is required, and needs to be an absolute path): rule_path = /usr/local/etc/snort/rules/snort.rules # Local Rules files # Specify local rules files, comma-separated local_rules = /usr/local/etc/snort/rules/local.rules # Rules files to ignore # includes.rules and snort3-deleted.rules are recommended to always be ignored # NOTE: the old "ignore" setting name (from Perl PulledPork) is also accepted here # if both are used, the values are combined and de-duped ignored_files = includes.rules, snort3-deleted.rules # do you want rules that are disabled to be included when writing rules to rule_path? # defaults to false. This is ignored if rule_mode = policy, since the policy determines which # rules are written include_disabled_rules = false # where should so rules be saved # so rules will only be processed if this is uncommented sorule_path = /usr/local/snort/extra # What Distro are you running? This must match one of the supported distros: # centos-x64, debian-x64, fc-x64, opensuse-x64, ubuntu-x64 # disable this entry to compile rules manually (not yet supported) distro = fc-x64 # do you want all the different policys files written to a local directory (for advanced users) #policies_path = /usr/local/etc/rules/ # WARNING: RULE MODIFICATION WITH THESE FILES IS PARTIALLY IMPMEMENTED # The code for this functionality is experimental, and does not handle GID:SID Ranges # or CATEGORIES yet (VRT- or ET- or Custom-) # you can use PulledPork2 compatable files / formatting for these files # # Here you can specify what rule modification files to run automatically. # simply uncomment and specify the apt path. # enablesid=/usr/local/etc/snort/enablesid.conf # dropsid=/usr/local/etc/snort/dropsid.conf # disablesid=/usr/local/etc/snort/disablesid.conf # WARNING: RULE MODIFICATION with modifysid IS NOT IMPLEMENTED YET # modifysid=/usr/local/etc/snort/modifysid.conf # WARNING: RULE MODIFICATION IS NOT IMPLEMENTED YET # The following option, state_order, allows you to more finely control the order # that pulledpork performs the modify operations, specifically the enablesid # disablesid and dropsid functions. An example use case here would be to # disable an entire category and later enable only a rule or two out of it. # the valid values are disable, drop, and enable. # state_order=disable,drop,enable # PulledPork will use the system default temporary working directory, unless you specify a different one below. # (this is not common). PulledPork will create a working folder named PulledPork-YYYY.MM.DD-HH.MM.SS in the # temp location. This is useful during troubleshooting PulledPork3 with the -k (keep temp directory) flag #temp_path = /tmp # Pulledpork3 configuration version variable: may be used in future CONFIGURATION_NUMBER = 3.0.0.3