aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/snort/disablesid-sample.conf43
-rw-r--r--config/snort/enablesid-sample.conf39
-rw-r--r--config/snort/modifysid-sample.conf23
-rwxr-xr-xconfig/snort/snort.xml15
4 files changed, 120 insertions, 0 deletions
diff --git a/config/snort/disablesid-sample.conf b/config/snort/disablesid-sample.conf
new file mode 100644
index 00000000..026f4d94
--- /dev/null
+++ b/config/snort/disablesid-sample.conf
@@ -0,0 +1,43 @@
+# example disablesid.conf
+
+# Example of modifying state for individual rules
+# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
+
+# Example of modifying state for rule ranges
+# 1:220-1:3264,3:13010-3:13013
+
+# Comments are allowed in this file, and can also be on the same line
+# As the modify state syntax, as long as it is a trailing comment
+# 1:1011 # I Disabled this rule because I could!
+
+# Example of modifying state for MS and cve rules, note the use of the :
+# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
+# and all MS00 and all cve 2000 related sids! These support regular expression
+# matching only after you have specified what you are looking for, i.e.
+# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
+# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
+# for this.
+# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
+
+# Example of using the pcre: keyword to modify rulestate. the pcre keyword
+# allows for full use of regular expression syntax, you do not need to designate
+# with / and all pcre searches are treated as case insensitive. For more information
+# about regular expression syntax: http://www.regular-expressions.info/
+# The following example modifies state for all MS07 through MS10
+# pcre:MS(0[7-9]|10)-\d+
+# pcre:"Joomla"
+
+# Example of modifying state for specific categories entirely.
+# "snort_" limits to Snort VRT rules, "emerging-" limits to
+# Emerging Threats Open rules, "etpro-" limits to ET-PRO rules.
+# "shellcode" with no prefix would match in any vendor set.
+# snort_web-iis,emerging-shellcode,etpro-imap,shellcode
+
+# Any of the above values can be on a single line or multiple lines, when
+# on a single line they simply need to be separated by a ,
+# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
+
+# The modifications in this file are for sample/example purposes only and
+# should not actively be used, you need to modify this file to fit your
+# environment.
+
diff --git a/config/snort/enablesid-sample.conf b/config/snort/enablesid-sample.conf
new file mode 100644
index 00000000..4cccc5dd
--- /dev/null
+++ b/config/snort/enablesid-sample.conf
@@ -0,0 +1,39 @@
+# example enablesid.conf
+
+# Example of modifying state for individual rules
+# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
+
+# Example of modifying state for rule ranges
+# 1:220-1:3264,3:13010-3:13013
+
+# Comments are allowed in this file, and can also be on the same line
+# As the modify state syntax, as long as it is a trailing comment
+# 1:1011 # I Disabled this rule because I could!
+
+# Example of modifying state for MS and cve rules, note the use of the :
+# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
+# and all MS00 and all cve 2000 related sids! These support regular expression
+# matching only after you have specified what you are looking for, i.e.
+# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
+# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
+# for this.
+# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
+
+# Example of using the pcre: keyword to modify rulestate. the pcre keyword
+# allows for full use of regular expression syntax, you do not need to designate
+# with / and all pcre searches are treated as case insensitive. For more information
+# about regular expression syntax: http://www.regular-expressions.info/
+# The following example modifies state for all MS07 through MS10
+# pcre:MS(0[7-9]|10)-\d+
+# pcre:"Joomla"
+
+# Example of modifying state for specific categories entirely.
+# "snort_" limits to Snort VRT rules, "emerging-" limits to
+# Emerging Threats Open rules, "etpro-" limits to ET-PRO rules.
+# "shellcode" with no prefix would match in any vendor set.
+# snort_web-iis,emerging-shellcode,etpro-imap,shellcode
+
+# Any of the above values can be on a single line or multiple lines, when
+# on a single line they simply need to be separated by a ,
+# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
+
diff --git a/config/snort/modifysid-sample.conf b/config/snort/modifysid-sample.conf
new file mode 100644
index 00000000..d59f84ba
--- /dev/null
+++ b/config/snort/modifysid-sample.conf
@@ -0,0 +1,23 @@
+# example modifysid.conf
+#
+# formatting is simple
+# <sid or sid list> "what I'm replacing" "what I'm replacing it with"
+#
+# Note that this will only work with GID:1 rules, simply because modifying
+# GID:3 SO stub rules would not actually affect the rule.
+#
+# If you are attempting to change rulestate (enable,disable) from here
+# then you are doing it wrong. Do this from within the respective
+# rulestate modification configuration files.
+
+# the following applies to sid 10010 only and represents what would normally
+# be s/to_client/from_server/
+# 10010 "to_client" "from_server"
+
+# the following would replace HTTP_PORTS with HTTPS_PORTS for ALL GID:1
+# rules
+# "HTTP_PORTS" "HTTPS_PORTS"
+
+# multiple sids can be specified as noted below:
+# 302,429,1821 "\$EXTERNAL_NET" "\$HOME_NET"
+
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index 663ce4eb..dafadd51 100755
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -273,6 +273,21 @@
<chmod>0644</chmod>
<item>https://packages.pfsense.org/packages/config/snort/widget-snort.inc</item>
</additional_files_needed>
+ <additional_files_needed>
+ <prefix>/var/db/snort/sidmods/</prefix>
+ <chmod>0644</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/disablesid-sample.conf</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/var/db/snort/sidmods/</prefix>
+ <chmod>0644</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/enablesid-sample.conf</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/var/db/snort/sidmods/</prefix>
+ <chmod>0644</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/modifysid-sample.conf</item>
+ </additional_files_needed>
<fields>
</fields>
<custom_add_php_command>