|
# $Id: template-examples.conf,v 1.9 2006/01/29 14:54:58 andreas_o Exp $ #
# Disclaimer:
# DO NOT USE THIS FILE DIRECTLY. The templates in here are only
# quick examples just to give you some ideas and are subject to be
# changed/deleted in future releases. If there is a template you want
# to use, review if carefully and put it in your own oinkmaster.conf (or
# your own templates.conf or whatever) instead of using this file
# directly. If you create your own templates and want them added to
# this file, please send them to me.
# For more information about templates, see README.templates.
# Here are a bunch of sample template definitions, later followed by
# examples how to use them.
# Tag by src for 10 seconds by adding the string
# "tag: host,src,10,seconds;" right after the SID statement.
define_template add_src_tagging \
"\b(sid\s*:\s*\d+\s*;)" | \
"${1} tag: host,src,10,seconds;"
# If you want to append stuff at the very end of a rule, you could do
# something like this:
# define_template add_src_tagging \
# "\)\n$" | \
# "tag: host,src,10,seconds;)\n"
# Take text given as argument and append it to the rule's "msg" string.
define_template append_msg \
"\b(msg\s*:\s*".+?)"\s*;+s*" | \
"${1}%ARG1%";"
# Add thresholding of type "both", count 30, seconds 60.
define_template add_threshold \
"\b(sid\s*:\s*\d+\s*;)" | \
"${1} threshold:type both,track by_dst,count 30,seconds 60;"
# Add by_dst thresholding with values for count and seconds given
# as arguments when using the template.
define_template add_threshold_with_values \
"\b(sid\s*:\s*\d+\s*;)" | \
"${1} threshold:type both,track by_dst,count %ARG1%,seconds %ARG2%;"
# Change classtype to the one specified as argument.
define_template change_classtype \
"\bclasstype\s*:\s*\S+\s*;" | \
"classtype:%ARG1%;"
# Convert an active alert rule to a drop rule
define_template make_drop "^alert\s" | "drop "
# Remove "flow" statement.
define_template remove_flow "flow\s*:\s*[a-z,_ ]+;" | ""
# Comment out rules containing a certain option.
define_template disable_by_keyword "(.*\b%ARG1%\s*:.+;.*)" | "#${1}"
# Switch $EXTERNAL_NET/$HOME_NET in a rule watching for stuff from
# $EXTERNAL_NET to $HOME_NET, so it becomes $HOME_NET to $EXTERNAL_NET.
define_template check_outgoing \
"(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
"${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
# Switch $EXTERNAL_NET/$HOME_NET in a rule watching for stuff from
# $HOME_NET to $EXTERNAL_NET, so it becomes $EXTERNAL_NET to $HOME_NET.
define_template check_incoming \
"(.+) \$HOME_NET (.+) \$EXTERNAL_NET (.+)" | \
"${1} \$EXTERNAL_NET ${2} \$HOME_NET ${3}"
# Make source and destination address specifications in an alert rule
# become "any", regardless of their current values.
define_template src_dst_any_any \
"^(alert\s+\S+)\s+\S+\s+(.*?>)\s+\S+" | "${1} any ${2} any"
# Just like disablesid but also add a comment line before the disabled
# rule.
define_template disable_with_comment \
"^alert\s" | "# Rule disabled by Oinkmaster, reason=%ARG1%:\n#alert "
# Delete an active rule by removing it from the file completely.
define_template delete_rule \
"^alert\s.+$" | ""
# Tag by src for the number of seconds given as argument. Also include
# this number in a string appended to the rule's msg.
define_template tag_src_and_append_msg \
"^(\s*alert\s+.+\bmsg\s*:\s*".+?)"\s*;+s*(.*)\b(sid\s*:\s*\d+\s*;)" | \
"${1}, tagging for %ARG1% seconds";${2}${3} tag: host,src,%ARG1%,seconds;"
# This is a template to disable a rule only if it has a specific
# revision. Very useful if you want to temporarily disable a rule
# because of false positives and you want to start using the rule again
# as soon as it is updated (i.e. when the "rev" keyword changes).
# The revision is specified as argument when using the template.
define_template disablesid_rev "(.+\brev\s*:\s*%ARG1%\s*;.*)" | "#${1}"
# Now some examples how to use the above templates.
# Add tagging by src to SID 1324.
# use_template add_src_tagging 1324
# Append the string " - added text!" to the msg of SID 1324.
# use_template append_msg 1324 " - added text!"
# Add thresholding with values hardcoded into the add_threshold template.
# use_template add_threshold 1326
# Add thresholding with count value given as first argument
# and seconds value given as second argument.
# use_template add_threshold_with_values 1326 "10" "30"
# Change the classtype to "some-other-classtype" in SID 1324 and 1325.
# use_template change_classtype 1324,1325 "some-other-classtype"
# Make SID 1324 a drop rule.
# use_template make_drop 1324
# Make all rules in exploit.rules to be drop rules.
# use_template make_drop exploit.rules
# Remove the "flow" statement from SID 1324.
# use_template remove_flow 1324
# Disable all rules that are using the "uricontent" keyword.
# use_template disable_by_keyword * "uricontent"
# Reverse $EXTERNAL_NET and $HOME_NET in SID 1324 to watch only
# for outgoing attacks of this kind.
# use_template check_outgoing 1324
# Make both src and dst "any" in SID 1326.
# use_template src_dst_any_any 1326
# Disable rule 1323, and also add a comment line above it
# in the rules file.
# use_template disable_with_comment 1323 "I don't like this rule"
# Add 60 seconds tagging to SID 528, and also add this
# information to its msg string.
# use_template tag_src_and_append_msg 528 "60"
# This will delete (not disable) the SIDs 1323, 1324 and 1326.
# use_template delete_rule 1323, 1324, 1326
# This will delete ALL active rules. Not a very useful example :)
# use_template delete_rule *
# Disable SID 1324, but only if the revision (the "rev" keyword) is 3.
# use_template disablesid_rev 1324 "3"
|
