08ee37b8d7
Re-enable support for non Ethernet decoders so that Snort can listen on our pflog(4) interface again. Tested on amd64 and i386. Before the 64-bit time_t change, it was also tested on amd64 and i386 (by myself and Adam Jeanguenat) and on macppc.
78 lines
2.8 KiB
Plaintext
78 lines
2.8 KiB
Plaintext
$OpenBSD: patch-etc_snort_conf,v 1.10 2013/08/21 02:28:43 lteo Exp $
|
|
|
|
reputation preprocessor disabled, still experimental
|
|
|
|
--- etc/snort.conf.orig Tue Jul 23 14:37:33 2013
|
|
+++ etc/snort.conf Mon Aug 5 14:38:56 2013
|
|
@@ -101,17 +101,17 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.1
|
|
# Path to your rules files (this can be a relative path)
|
|
# Note for Windows users: You are advised to make this an absolute path,
|
|
# such as: c:\snort\rules
|
|
-var RULE_PATH ../rules
|
|
-var SO_RULE_PATH ../so_rules
|
|
-var PREPROC_RULE_PATH ../preproc_rules
|
|
+var RULE_PATH ${SYSCONFDIR}/snort/rules
|
|
+var SO_RULE_PATH ${SYSCONFDIR}/snort/so_rules
|
|
+var PREPROC_RULE_PATH ${SYSCONFDIR}/snort/preproc_rules
|
|
|
|
# If you are using reputation preprocessor set these
|
|
# Currently there is a bug with relative paths, they are relative to where snort is
|
|
# not relative to snort.conf like the above variables
|
|
# This is completely inconsistent with how other vars work, BUG 89986
|
|
# Set the absolute path appropriately
|
|
-var WHITE_LIST_PATH ../rules
|
|
-var BLACK_LIST_PATH ../rules
|
|
+var WHITE_LIST_PATH ${SYSCONFDIR}/snort/rules
|
|
+var BLACK_LIST_PATH ${SYSCONFDIR}/snort/rules
|
|
|
|
###################################################
|
|
# Step #2: Configure the decoder. For more information, see README.decode
|
|
@@ -158,6 +158,7 @@ config checksum_mode: all
|
|
#
|
|
# config daq: <type>
|
|
# config daq_dir: <dir>
|
|
+config daq_dir: ${PREFIX}/lib/daq/
|
|
# config daq_mode: <mode>
|
|
# config daq_var: <var>
|
|
#
|
|
@@ -503,12 +504,12 @@ preprocessor dnp3: ports { 20000 } \
|
|
check_crc
|
|
|
|
# Reputation preprocessor. For more information see README.reputation
|
|
-preprocessor reputation: \
|
|
- memcap 500, \
|
|
- priority whitelist, \
|
|
- nested_ip inner, \
|
|
- whitelist $WHITE_LIST_PATH/white_list.rules, \
|
|
- blacklist $BLACK_LIST_PATH/black_list.rules
|
|
+#preprocessor reputation: \
|
|
+# memcap 500, \
|
|
+# priority whitelist, \
|
|
+# nested_ip inner, \
|
|
+# whitelist $WHITE_LIST_PATH/white_list.rules, \
|
|
+# blacklist $BLACK_LIST_PATH/black_list.rules
|
|
|
|
###################################################
|
|
# Step #6: Configure output plugins
|
|
@@ -542,8 +543,9 @@ include reference.config
|
|
###################################################
|
|
|
|
# site specific rules
|
|
-include $RULE_PATH/local.rules
|
|
+#include $RULE_PATH/local.rules
|
|
|
|
+# Official Sourcefire VRT rules from http://www.snort.org/snort-rules/
|
|
include $RULE_PATH/app-detect.rules
|
|
include $RULE_PATH/attack-responses.rules
|
|
include $RULE_PATH/backdoor.rules
|
|
@@ -659,6 +661,9 @@ include $RULE_PATH/web-iis.rules
|
|
include $RULE_PATH/web-misc.rules
|
|
include $RULE_PATH/web-php.rules
|
|
include $RULE_PATH/x11.rules
|
|
+
|
|
+# Emerging Threats rules from http://rules.emergingthreats.net/open/snort-2.9.0/
|
|
+# include $RULE_PATH/emerging.conf
|
|
|
|
###################################################
|
|
# Step #8: Customize your preprocessor and decoder alerts
|