Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

359 lines (302 sloc) 11.159 kB
#
# Barnyard2 example configuration file
#
#
# This file contains a sample barnyard2 configuration.
# You can take the following steps to create your own custom configuration:
#
# 1) Configure the variable declarations
# 2) Setup the input plugins
# 3) Setup the output plugins
#
#
# Step 1: configure the variable declarations
#
# in order to keep from having a commandline that uses every letter in the
# alphabet most configuration options are set here.
# use UTC for timestamps
#
#config utc
# set the appropriate paths to the file(s) your Snort process is using.
#
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
# define dedicated references similar to that of snort.
#
#config reference: mybugs http://www.mybugs.com/?s=
# define explicit classifications similar to that of snort.
#
#config classification: shortname, short description, priority
# set the directory for any output logging
#
#config logdir: /tmp
# to ensure that any plugins requiring some level of uniqueness in their output
# the alert_with_interface_name, interface and hostname directives are provided.
# An example of usage would be to configure them to the values of the associated
# snort process whose unified files you are reading.
#
# Example:
# For a snort process as follows:
# snort -i eth0 -c /etc/snort.conf
#
# Typical options would be:
# config hostname: thor
# config interface: eth0
# config alert_with_interface_name
#
#config hostname: thor
#config interface: eth0
# enable printing of the interface name when alerting.
#
#config alert_with_interface_name
# at times snort will alert on a packet within a stream and dump that stream to
# the unified output. barnyard2 can generate output on each packet of that
# stream or the first packet only.
#
#config alert_on_each_packet_in_stream
# enable daemon mode
#
#config daemon
# make barnyard2 process chroot to directory after initialisation.
#
#config chroot: /var/spool/barnyard2
# specifiy the group or GID for barnyard2 to run as after initialisation.
#
#config set_gid: 999
# specifiy the user or UID for barnyard2 to run as after initialisation.
#
#config set_uid: 999
# specify the directory for the barnyard2 PID file.
#
#config pidpath: /var/run/by2.pid
# enable decoding of the data link (or second level headers).
#
#config decode_data_link
# dump the application data
#
#config dump_payload
# dump the application data as chars only
#
#config dump_chars_only
# enable verbose dumping of payload information in log style output plugins.
#
#config dump_payload_verbose
# enable obfuscation of logged IP addresses.
#
#config obfuscate
# enable the year being shown in timestamps
#
#config show_year
# set the umask for all files created by the barnyard2 process (eg. log files).
#
#config umask: 066
# enable verbose logging
#
#config verbose
# quiet down some of the output
#
#config quiet
# define the full waldo filepath.
#
#config waldo_file: /tmp/waldo
# specificy the maximum length of the MPLS label chain
#
#config max_mpls_labelchain_len: 64
# specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
#
#config mpls_payload_type: ipv4
# set the reference network or homenet which is predominantly used by the
# log_ascii plugin.
#
#config reference_net: 192.168.0.0/24
#
# CONTINOUS MODE
#
# set the archive directory for use with continous mode
#
#config archivedir: /tmp
# when in operating in continous mode, only process new records and ignore any
# existing unified files
#
#config process_new_records_only
#
# Step 2: setup the input plugins
#
# this is not hard, only unified2 is supported ;)
input unified2
#
# Step 3: setup the output plugins
#
# alert_cef
# ----------------------------------------------------------------------------
#
# Purpose:
# This output module provides the abilty to output alert information to a
# remote network host as well as the local host using the open standard
# Common Event Format (CEF).
#
# Arguments: host=hostname[:port], severity facility
# arguments should be comma delimited.
# host - specify a remote hostname or IP with optional port number
# this is only specific to WIN32 (and is not yet fully supported)
# severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
# facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
# output alert_cef
# output alert_cef: host=192.168.10.1
# output alert_cef: host=sysserver.com:1001
# output alert_cef: LOG_AUTH LOG_INFO
#
# alert_bro
# ----------------------------------------------------------------------------
#
# Purpose: Send alerts to a Bro-IDS instance.
#
# Arguments: hostname:port
#
# Examples:
# output alert_bro: 127.0.0.1:47757
# alert_fast
# ----------------------------------------------------------------------------
# Purpose: Converts data to an approximation of Snort's "fast alert" mode.
#
# Arguments: file <file>, stdout
# arguments should be comma delimited.
# file - specifiy alert file
# stdout - no alert file, just print to screen
#
# Examples:
# output alert_fast
# output alert_fast: stdout
#
output alert_fast: stdout
# prelude: log to the Prelude Hybrid IDS system
# ----------------------------------------------------------------------------
#
# Purpose:
# This output module provides logging to the Prelude Hybrid IDS system
#
# Arguments: profile=snort-profile
# snort-profile - name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info = 4
# low = 3
# medium = 2
# high = anything below medium
#
# Examples:
# output alert_prelude
# output alert_prelude: profile=snort-profile-name
#
# alert_syslog
# ----------------------------------------------------------------------------
#
# Purpose:
# This output module provides the abilty to output alert information to local syslog
#
# severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
# facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
# output alert_syslog
# output alert_syslog: LOG_AUTH LOG_INFO
#
# syslog_full
#-------------------------------
# Available as both a log and alert output plugin. Used to output data via TCP/UDP or LOCAL ie(syslog())
# Arguments:
# sensor_name $sensor_name - unique sensor name
# server $server - server the device will report to
# local - if defined, ignore all remote information and use syslog() to send message.
# protocol $protocol - protocol device will report over (tcp/udp)
# port $port - destination port device will report to (default: 514)
# delimiters $delimiters - define a character that will delimit message sections ex: "|", will use | as message section delimiters. (default: |)
# separators $separators - define field separator included in each message ex: " " , will use space as field separator. (default: [:space:])
# operation_mode $operaion_mode - default | complete : default mode is compatible with default snort syslog message, complete prints more information such as the raw packet (hexed)
# log_priority $log_priority - used by local option for syslog priority call. (man syslog(3) for supported options) (default: LOG_INFO)
# log_facility $log_facility - used by local option for syslog facility call. (man syslog(3) for supported options) (default: LOG_USER)
# Usage Examples:
# output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
# output alert_syslog_full: sensor_name snortIds1-eth2, local
# output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority LOG_CRIT,log_facility LOG_CRON
# log_ascii
# ----------------------------------------------------------------------------
#
# Purpose: This output module provides the default packet logging funtionality
#
# Arguments: None.
#
# Examples:
# output log_ascii
#
# log_tcpdump
# ----------------------------------------------------------------------------
#
# Purpose
# This output module logs packets in binary tcpdump format
#
# Arguments:
# The only argument is the output file name.
#
# Examples:
# output log_tcpdump: tcpdump.log
#
# sguil
# ----------------------------------------------------------------------------
#
# Purpose: This output module provides logging ability for the sguil interface
# See doc/README.sguil
#
# Arguments: agent_port <port>, sensor_name <name>
# arguments should be comma delimited.
# agent_port - explicitly set the sguil agent listening port
# (default: 7736)
# sensor_name - explicitly set the sensor name
# (default: machine hostname)
#
# Examples:
# output sguil
# output sguil: agent_port=7000
# output sguil: sensor_name=argyle
# output sguil: agent_port=7000, sensor_name=argyle
#
# database: log to a variety of databases
# ----------------------------------------------------------------------------
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
#
# alert_fwsam: allow blocking of IP's through remote services
# ----------------------------------------------------------------------------
# output alert_fwsam: <SnortSam Station>:<port>/<key>
#
# <FW Mgmt Station>: IP address or host name of the host running SnortSam.
# <port>: Port the remote SnortSam service listens on (default 898).
# <key>: Key used for authentication (encryption really)
# of the communication to the remote service.
#
# Examples:
#
# output alert_fwsam: snortsambox/idspassword
# output alert_fwsam: fw1.domain.tld:898/mykey
# output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw
#
Jump to Line
Something went wrong with that request. Please try again.