Skip to content
This repository
Newer
Older
100644 359 lines (302 sloc) 11.159 kb
1912fdf7 »
2010-10-04 initial import.
1 #
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
2 # Barnyard2 example configuration file
3 #
1912fdf7 »
2010-10-04 initial import.
4
5 #
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
6 # This file contains a sample barnyard2 configuration.
1912fdf7 »
2010-10-04 initial import.
7 # You can take the following steps to create your own custom configuration:
8 #
9 # 1) Configure the variable declarations
10 # 2) Setup the input plugins
11 # 3) Setup the output plugins
12 #
13
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
14 #
1912fdf7 »
2010-10-04 initial import.
15 # Step 1: configure the variable declarations
16 #
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
17
1912fdf7 »
2010-10-04 initial import.
18 # in order to keep from having a commandline that uses every letter in the
19 # alphabet most configuration options are set here.
20
21 # use UTC for timestamps
22 #
23 #config utc
24
25 # set the appropriate paths to the file(s) your Snort process is using.
26 #
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
27 config reference_file: /etc/snort/reference.config
1912fdf7 »
2010-10-04 initial import.
28 config classification_file: /etc/snort/classification.config
29 config gen_file: /etc/snort/gen-msg.map
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
30 config sid_file: /etc/snort/sid-msg.map
1912fdf7 »
2010-10-04 initial import.
31
32 # define dedicated references similar to that of snort.
33 #
34 #config reference: mybugs http://www.mybugs.com/?s=
35
36 # define explicit classifications similar to that of snort.
37 #
38 #config classification: shortname, short description, priority
39
40 # set the directory for any output logging
41 #
42 #config logdir: /tmp
43
44 # to ensure that any plugins requiring some level of uniqueness in their output
45 # the alert_with_interface_name, interface and hostname directives are provided.
46 # An example of usage would be to configure them to the values of the associated
47 # snort process whose unified files you are reading.
48 #
49 # Example:
50 # For a snort process as follows:
51 # snort -i eth0 -c /etc/snort.conf
52 #
53 # Typical options would be:
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
54 # config hostname: thor
1912fdf7 »
2010-10-04 initial import.
55 # config interface: eth0
56 # config alert_with_interface_name
57 #
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
58 #config hostname: thor
59 #config interface: eth0
1912fdf7 »
2010-10-04 initial import.
60
61 # enable printing of the interface name when alerting.
62 #
63 #config alert_with_interface_name
64
65 # at times snort will alert on a packet within a stream and dump that stream to
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
66 # the unified output. barnyard2 can generate output on each packet of that
1912fdf7 »
2010-10-04 initial import.
67 # stream or the first packet only.
68 #
69 #config alert_on_each_packet_in_stream
70
71 # enable daemon mode
72 #
73 #config daemon
74
75 # make barnyard2 process chroot to directory after initialisation.
76 #
77 #config chroot: /var/spool/barnyard2
78
79 # specifiy the group or GID for barnyard2 to run as after initialisation.
80 #
81 #config set_gid: 999
82
83 # specifiy the user or UID for barnyard2 to run as after initialisation.
84 #
85 #config set_uid: 999
86
87 # specify the directory for the barnyard2 PID file.
88 #
89 #config pidpath: /var/run/by2.pid
90
91 # enable decoding of the data link (or second level headers).
92 #
93 #config decode_data_link
94
95 # dump the application data
96 #
97 #config dump_payload
98
99 # dump the application data as chars only
100 #
101 #config dump_chars_only
102
103 # enable verbose dumping of payload information in log style output plugins.
104 #
105 #config dump_payload_verbose
106
107 # enable obfuscation of logged IP addresses.
108 #
109 #config obfuscate
110
111 # enable the year being shown in timestamps
112 #
113 #config show_year
114
115 # set the umask for all files created by the barnyard2 process (eg. log files).
116 #
117 #config umask: 066
118
119 # enable verbose logging
120 #
121 #config verbose
122
123 # quiet down some of the output
124 #
125 #config quiet
126
127 # define the full waldo filepath.
128 #
129 #config waldo_file: /tmp/waldo
130
131 # specificy the maximum length of the MPLS label chain
132 #
133 #config max_mpls_labelchain_len: 64
134
135 # specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
136 #
137 #config mpls_payload_type: ipv4
138
139 # set the reference network or homenet which is predominantly used by the
140 # log_ascii plugin.
141 #
142 #config reference_net: 192.168.0.0/24
143
144 #
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
145 # CONTINOUS MODE
1912fdf7 »
2010-10-04 initial import.
146 #
147
148 # set the archive directory for use with continous mode
149 #
150 #config archivedir: /tmp
151
152 # when in operating in continous mode, only process new records and ignore any
153 # existing unified files
154 #
155 #config process_new_records_only
156
157
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
158 #
1912fdf7 »
2010-10-04 initial import.
159 # Step 2: setup the input plugins
160 #
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
161
1912fdf7 »
2010-10-04 initial import.
162 # this is not hard, only unified2 is supported ;)
163 input unified2
164
165
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
166 #
1912fdf7 »
2010-10-04 initial import.
167 # Step 3: setup the output plugins
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
168 #
1912fdf7 »
2010-10-04 initial import.
169
170 # alert_cef
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
171 # ----------------------------------------------------------------------------
1912fdf7 »
2010-10-04 initial import.
172 #
173 # Purpose:
174 # This output module provides the abilty to output alert information to a
175 # remote network host as well as the local host using the open standard
176 # Common Event Format (CEF).
177 #
178 # Arguments: host=hostname[:port], severity facility
179 # arguments should be comma delimited.
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
180 # host - specify a remote hostname or IP with optional port number
1912fdf7 »
2010-10-04 initial import.
181 # this is only specific to WIN32 (and is not yet fully supported)
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
182 # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
183 # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
1912fdf7 »
2010-10-04 initial import.
184 #
185 # Examples:
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
186 # output alert_cef
187 # output alert_cef: host=192.168.10.1
188 # output alert_cef: host=sysserver.com:1001
189 # output alert_cef: LOG_AUTH LOG_INFO
1912fdf7 »
2010-10-04 initial import.
190 #
191
11025f91 »
2010-11-03 Add the Bro output plugin.
192 # alert_bro
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
193 # ----------------------------------------------------------------------------
194 #
11025f91 »
2010-11-03 Add the Bro output plugin.
195 # Purpose: Send alerts to a Bro-IDS instance.
196 #
197 # Arguments: hostname:port
198 #
199 # Examples:
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
200 # output alert_bro: 127.0.0.1:47757
1912fdf7 »
2010-10-04 initial import.
201
202 # alert_fast
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
203 # ----------------------------------------------------------------------------
1912fdf7 »
2010-10-04 initial import.
204 # Purpose: Converts data to an approximation of Snort's "fast alert" mode.
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
205 #
1912fdf7 »
2010-10-04 initial import.
206 # Arguments: file <file>, stdout
207 # arguments should be comma delimited.
208 # file - specifiy alert file
209 # stdout - no alert file, just print to screen
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
210 #
1912fdf7 »
2010-10-04 initial import.
211 # Examples:
212 # output alert_fast
213 # output alert_fast: stdout
214 #
215 output alert_fast: stdout
216
217
218 # prelude: log to the Prelude Hybrid IDS system
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
219 # ----------------------------------------------------------------------------
1912fdf7 »
2010-10-04 initial import.
220 #
221 # Purpose:
222 # This output module provides logging to the Prelude Hybrid IDS system
223 #
224 # Arguments: profile=snort-profile
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
225 # snort-profile - name of the Prelude profile to use (default is snort).
1912fdf7 »
2010-10-04 initial import.
226 #
227 # Snort priority to IDMEF severity mappings:
228 # high < medium < low < info
229 #
230 # These are the default mapped from classification.config:
231 # info = 4
232 # low = 3
233 # medium = 2
234 # high = anything below medium
235 #
236 # Examples:
237 # output alert_prelude
238 # output alert_prelude: profile=snort-profile-name
239 #
240
241
242 # alert_syslog
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
243 # ----------------------------------------------------------------------------
1912fdf7 »
2010-10-04 initial import.
244 #
245 # Purpose:
423acab0 »
2011-09-20 Added Support for remote syslog logging thanks to legacy plugin provi…
246 # This output module provides the abilty to output alert information to local syslog
1912fdf7 »
2010-10-04 initial import.
247 #
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
248 # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
249 # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
1912fdf7 »
2010-10-04 initial import.
250 #
251 # Examples:
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
252 # output alert_syslog
253 # output alert_syslog: LOG_AUTH LOG_INFO
1912fdf7 »
2010-10-04 initial import.
254 #
255
423acab0 »
2011-09-20 Added Support for remote syslog logging thanks to legacy plugin provi…
256 # syslog_full
257 #-------------------------------
d0ae24e0 »
2012-01-30 Fixed message format by adding the "operation mode directive"
258 # Available as both a log and alert output plugin. Used to output data via TCP/UDP or LOCAL ie(syslog())
423acab0 »
2011-09-20 Added Support for remote syslog logging thanks to legacy plugin provi…
259 # Arguments:
260 # sensor_name $sensor_name - unique sensor name
261 # server $server - server the device will report to
d0ae24e0 »
2012-01-30 Fixed message format by adding the "operation mode directive"
262 # local - if defined, ignore all remote information and use syslog() to send message.
423acab0 »
2011-09-20 Added Support for remote syslog logging thanks to legacy plugin provi…
263 # protocol $protocol - protocol device will report over (tcp/udp)
264 # port $port - destination port device will report to (default: 514)
d0ae24e0 »
2012-01-30 Fixed message format by adding the "operation mode directive"
265 # delimiters $delimiters - define a character that will delimit message sections ex: "|", will use | as message section delimiters. (default: |)
266 # separators $separators - define field separator included in each message ex: " " , will use space as field separator. (default: [:space:])
267 # operation_mode $operaion_mode - default | complete : default mode is compatible with default snort syslog message, complete prints more information such as the raw packet (hexed)
268 # log_priority $log_priority - used by local option for syslog priority call. (man syslog(3) for supported options) (default: LOG_INFO)
269 # log_facility $log_facility - used by local option for syslog facility call. (man syslog(3) for supported options) (default: LOG_USER)
270
271 # Usage Examples:
272 # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
273 # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
274 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
275 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
423acab0 »
2011-09-20 Added Support for remote syslog logging thanks to legacy plugin provi…
276 # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
277 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
d0ae24e0 »
2012-01-30 Fixed message format by adding the "operation mode directive"
278 # output alert_syslog_full: sensor_name snortIds1-eth2, local
279 # output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority LOG_CRIT,log_facility LOG_CRON
1912fdf7 »
2010-10-04 initial import.
280
281 # log_ascii
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
282 # ----------------------------------------------------------------------------
283 #
1912fdf7 »
2010-10-04 initial import.
284 # Purpose: This output module provides the default packet logging funtionality
285 #
286 # Arguments: None.
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
287 #
1912fdf7 »
2010-10-04 initial import.
288 # Examples:
289 # output log_ascii
290 #
291
292
293 # log_tcpdump
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
294 # ----------------------------------------------------------------------------
1912fdf7 »
2010-10-04 initial import.
295 #
296 # Purpose
297 # This output module logs packets in binary tcpdump format
298 #
299 # Arguments:
300 # The only argument is the output file name.
301 #
302 # Examples:
303 # output log_tcpdump: tcpdump.log
304 #
305
306
307 # sguil
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
308 # ----------------------------------------------------------------------------
309 #
1912fdf7 »
2010-10-04 initial import.
310 # Purpose: This output module provides logging ability for the sguil interface
311 # See doc/README.sguil
312 #
313 # Arguments: agent_port <port>, sensor_name <name>
314 # arguments should be comma delimited.
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
315 # agent_port - explicitly set the sguil agent listening port
316 # (default: 7736)
317 # sensor_name - explicitly set the sensor name
318 # (default: machine hostname)
319 #
1912fdf7 »
2010-10-04 initial import.
320 # Examples:
321 # output sguil
322 # output sguil: agent_port=7000
323 # output sguil: sensor_name=argyle
324 # output sguil: agent_port=7000, sensor_name=argyle
325 #
326
327
328 # database: log to a variety of databases
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
329 # ----------------------------------------------------------------------------
1912fdf7 »
2010-10-04 initial import.
330 #
331 # Purpose: This output module provides logging ability to a variety of databases
332 # See doc/README.database for additional information.
333 #
334 # Examples:
335 # output database: log, mysql, user=root password=test dbname=db host=localhost
336 # output database: alert, postgresql, user=snort dbname=snort
337 # output database: log, odbc, user=snort dbname=snort
338 # output database: log, mssql, dbname=snort user=snort password=test
339 # output database: log, oracle, dbname=snort user=snort password=test
340 #
341
342
2bba90ce »
2011-06-30 updated: add example usage for snortsam in configuration sample.
343 # alert_fwsam: allow blocking of IP's through remote services
344 # ----------------------------------------------------------------------------
345 # output alert_fwsam: <SnortSam Station>:<port>/<key>
346 #
347 # <FW Mgmt Station>: IP address or host name of the host running SnortSam.
348 # <port>: Port the remote SnortSam service listens on (default 898).
349 # <key>: Key used for authentication (encryption really)
350 # of the communication to the remote service.
351 #
352 # Examples:
353 #
354 # output alert_fwsam: snortsambox/idspassword
355 # output alert_fwsam: fw1.domain.tld:898/mykey
356 # output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw
357 #
358
Something went wrong with that request. Please try again.