This file is indexed.

/etc/oinkmaster.conf is in oinkmaster 2.0-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
# $Id: oinkmaster.conf,v 1.134 2008/02/18 19:33:45 andreas_o Exp $ #


# This file is pretty big by default, but don't worry. 
# Everything in here is completely optional and the defaults
# should work for most people. The download URL of the rules
# archive must be set either in here or on the command line.

# Remember not to let untrusted users edit Oinkmaster configuration
# files, as things like the PATH to use during execution is defined
# in here.



# Use "url = <url>" to specify the location of the rules archive to 
# download. The url must begin with http://, https://, ftp://, file:// 
# or scp:// and end with .tar.gz or .tgz, and the file must be a 
# gzipped tarball what contains a directory named "rules".
# You can also point to a local directory with dir://<directory>.
# Multiple "url = <url>" lines can be specified to grab multiple rules
# archives from different locations.
#
# Note: if URL is specified on the command line, it overrides all 
#       possible URLs specified in the configuration file(s).
#
# The location of the official Snort rules you should use depends
# on which Snort version you run. Basically, you should go to
# http://www.snort.org/rules/ and follow the instructions
# there to pick the right URL for your version of Snort
# (and remember to update the URL when upgrading Snort in the
# future!). You can of course also specify locations to third party 
# rules. You may specify multiple URLs.
#
# As of March 2005, you must register on the Snort site to get access 
# to the official Snort rules. This will get you an "oinkcode".
# You then specify the URL as
# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
# For example, if your code is 5a081649c06a277e1022e1284b and
# you use Snort 2.7, the url to use would be:
# http://www.snort.org/pub-bin/oinkmaster.cgi/5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.7.tar.gz
# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for
# more information.


# URL examples follows. Replace <oinkcode> with the code you get on the 
# Snort site in your registered user profile.


# VRT certified rules for registered users, Snort 2.7.
# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.7.tar.gz

# VRT certified rules for registered users, Snort 2.8.
# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.8.tar.gz

# VRT certified rules for registered users, Snort-CURRENT
# ("CURRENT" here means experimental snapshots!).
# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz


# Community rules and Snort 2.4.
# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-2.4.tar.gz

# Community rules for snort-CURRENT
# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz


# Example for rules from the Emerging Threats site (previously known as Bleeding Snort).
# url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
# Old url:
# url = http://www.emergingthreats.net/rules/bleeding.rules.tar.gz


# If you prefer to download the rules archive from outside Oinkmaster,
# you can then point to the file on your local filesystem by using
# file://<filename>, for example:
# url = file:///tmp/snortrules.tar.gz

# In rare cases you may want to grab the rules directly from a
# local directory (don't confuse this with the output directory).
# url = dir:///etc/snort/src/rules

# Example to use scp to copy the rules archive from another host.
# Only OpenSSH is tested. See the FAQ for more information.
# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz

# If you use -u scp://... and need to specify a private ssh key (passed 
# as -i <key> to the scp command) you can specify it here or add an 
# entry in ~/.ssh/config for the Oinkmaster user as described in the 
# OpenSSH manual. 
# scp_key = /home/oinkmaster/oinkmaster_privkey


# The PATH to use during execution. If you prefer to use external 
# binaries (i.e. use_external_bins=1, see below), tar and gzip must be 
# found, and also wget if downloading via ftp, http or https. All with 
# optional .exe suffix. If you're on Cygwin, make sure that the path 
# contains the Cygwin binaries and not the native Win32 binaries or 
# you will get problems.
# The following UNIX style path is assumed by default:
# path = /bin:/usr/bin:/usr/local/bin

# Example if running native Win32 or standalone Cygwin:
# path = c:\oinkmaster;c:\oinkmaster\bin

# Example if running standalone Cygwin and you prefer Cygwin style path:
# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin


# We normally use external binaries (wget, tar and gzip) since they're 
# already available on most systems and do a good job. If you have the 
# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
# those instead if you like. You can set use_external_bins below to 
# choose which method you prefer. It's set to 0 by default on Win32 
# (i.e. use Perl modules), and 1 on other systems (i.e. use external 
# binaries). The reason for that is that the required Perl modules
# are included on Windows/ActivePerl 5.8.1+, so it's easier to use 
# those than to install the ported Unix tools. (Note that if you're 
# using scp to download the archive, external scp  binary is still 
# used.) 
# use_external_bins = 0


# Temporary directory to use. This directory must exist when starting and
# Oinkmaster will then create a temporary sub directory in here.
# Keep it as a #comment if you want to use the default.
# The default will be checked for in the environment variables TMP,
# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set.

# Example for UNIX.
# tmpdir = /home/oinkmaster/tmp/

# Example if running native Win32 or Cygwin.
# tmpdir = c:\tmp

# Example if running Cygwin and you prefer Cygwin style path.
# tmpdir = /cygdrive/c/tmp


# The umask to use during execution if you want it to be something
# else than the current value when starting Oinkmaster.
# This will affect the mode bits when writing new files.
# Keep it commented out to keep your system's current umask.
# umask = 0027


# Files in the archive(s) matching this regular expression will be 
# checked for changes, and then updated or added if needed.
# All other files will be ignored. You can then choose to skip
# individual files by specifying the "skipfile" keyword below.
# Normally you shouldn't need to change this one.
# update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$


# Regexp of keywords that starts a Snort rule.
# May be useful if you create your own ruletypes and want those
# lines to be regarded as rules as well.
# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic


# If the number of rules files in the downloaded archive matching the
# 'update_files' regexp is below min_files, or if the number
# of rules is below min_rules, the rules are regarded as broken
# and the update is aborted with an error message.
# Both are set to 1 by default (i.e. the archive is only regarded as
# broken if it's totally empty).
# If you download from multiple URLs, the count is the total number
# of files/rules across all archives.
# min_files = 1
# min_rules = 1


# By default, a basic sanity check is performed on most paths/filenames 
# to see if they contain illegal characters that may screw things up. 
# If this check is too strict for your system (e.g. you get bogus 
# "illegal characters in filename" errors because of your local language 
# etc) and you're sure you want to disable the checks completely,
# set use_path_checks to 0.
# use_path_checks = 1


# If you want Oinkmaster to send a User-Agent HTTP header string
# other than the default one for wget/LWP, set this variable.
# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

# The normal Snort rules usually resides in a directory called 
# "rules" in the downloaded archive. You can tell Oinkmaster to 
# look in another directory by setting the rules_dir statement.
# This allows you to update the shared object rules (so_rules) with 
# Oinkmaster by creating a separate oinkmaster.conf containing 
# "rules_dir = so_rules". Note that you can not set multiple
# directories so you have to run Oinkmaster separately for each 
# directory. Remember to point to different output directories as 
# the "rules" and "so_rules" directories contains files with 
# identical filenames.
# To update the shared object rules, use:
# rules_dir = so_rules
# The default is to update the normal rules:
# rules_dir = rules

# You can include other files anywhere in here by using
# "include <file>". <file> will be parsed just like a regular 
# oinkmaster.conf as soon as the include statement is seen, and then 
# return and continue parsing the rest of the original file. If an 
# option is redefined, it will override the previous value. You can use 
# as many "include" statements as you wish, and also include even more 
# files from included files. Example to load stuff from "/etc/foo.conf".
# include /etc/foo.conf



#######################################################################
# Files to totally skip (i.e. never update or check for changes)      #
#                                                                     #
# Syntax: skipfile filename                                           #
# or:     skipfile filename1, filename2, filename3, ...               #
#######################################################################

# Ignore local.rules from the rules archive by default since we might 
# have put some local rules in our own local.rules and we don't want it 
# to get overwritten by the empty one from the archive after each 
# update.
skipfile local.rules

# The file deleted.rules contains rules that have been deleted from 
# other files, so there is usually no point in updating it.
skipfile deleted.rules

# Also skip snort.conf by default since we don't want to overwrite our 
# own snort.conf if we have it in the same directory as the rules. If 
# you have your own production copy of snort.conf in another directory, 
# it may be really nice to check for changes in this file though, 
# especially since variables are sometimes added or modified and 
# new/old files are included/excluded.
skipfile snort.conf

# You may want to consider ignoring threshold.conf for the same reasons 
# as for snort.conf, i.e. if you customize it locally and don't want it 
# to become overwritten by the default one. It may be better to put 
# local thresholding/suppressing in some local file and still update 
# and use the official one though, in case important stuff is added to 
# it some day. We do update it by default, but it's your call.
# skipfile threshold.conf

# If you update from multiple URLs at the same time you may need to 
# ignore the sid-msg.map (and generate it yourself if you need one) as 
# it's usually included in each rules tarball. See the FAQ for more info.
# skipfile sid-msg.map



##########################################################################
# SIDs to modify after each update (only for the skilled/stupid/brave).  #
# Don't use it unless you have to. There is nothing that stops you from  #
# modifying rules in such ways that they become invalid or generally     #
# break things. You have been warned.                                    #
# If you just want to disable SIDs, please skip this section and have a  #
# look at the "disablesid" keyword below.                                #
#                                                                        #
# You may specify multiple modifysid directives for the same SID (they   #
# will be processed in order of appearance), and you may also specify a  #
# list of SIDs on which the substitution should be applied.              #
# If the argument is in the form something.something it's regarded       #
# as a filename and the substitution will apply on all rules in that     #
# file. The wildcard ("*") can be used to apply the substitution on all  #
# rules regardless of the SID or file. Please avoid using #comments      #
# at the end of modifysid lines, they may confuse the parser in some     #
# situations.                                                            #
#                                                                        #
# Syntax:                                                                #
#   modifysid SID "replacethis" | "withthis"                             #    
# or:                                                                    #
#   modifysid SID1, SID2, SID3, ... "replacethis" | "withthis"           #
# or:                                                                    #
#   modifysid file "replacethis" | "withthis"                            #    
# or:                                                                    #
#   modifysid * "replacethis" | "withthis"                               #
#                                                                        #
# The strings within the quotes will basically be passed to a            #
# s/replacethis/withthis/ statement in Perl, so they must be valid       #
# regular expressions. The strings are case-insensitive and only the     #
# first occurrence will be replaced. If there are multiple occurrences   #
# you want to replace, simply repeat the same modifysid line.            #
# As the strings are regular expressions, you MUST escape special        #
# characters like $ \ / ( ) | by prepending a "\" to them.               #
#                                                                        #
# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
# will first translate the rule into a single-line version and then      #
# perform the substitution, so you don't have to care about the trailing #
# backslashes and newlines.                                              #
#                                                                        #
# If you use backreference variables in the substitution expression,     #
# it's strongly recommended to specify them as ${1} instead of $1 and so #
# on, to avoid parsing confusion with unexpected results in some         #
# situations. Note that modifysid statements will process both active    #
# and inactive (disabled) rules.                                         #
#                                                                        #
# You may want to check out README.templates and template-examples.conf  #
# to find how you can simplify the modifysid usage by using templates.   #
##########################################################################

# Example to enable a rule (in this case SID 1325) that is disabled by
# default, by simply replacing leading "#alert" with "alert".
# (You should really use 'enablesid' for this though.)
# Oinkmaster removes whitespaces next to the leading "#" so you don't
# have to worry about that, but be careful about possible whitespace in
# other places when writing the regexps.
# modifysid 1325 "^#alert" | "alert"

# You could also do this to enable it no matter what type of rule it is
# (alert, log, pass, etc).
# modifysid 1325 "^#" | ""

# Example to enable ALL rules in ALL files (usually not a good idea).
# modifysid * "^#" | ""

# Example to add "tag" stuff to SID 1325.
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"

# Example to make SID 1378 a 'drop' rule (valid if you're running 
# Snort_inline).
# modifysid 1378 "^alert" | "drop"

# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET 
# in SID 302.
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"

# You can also specify that a substitution should apply on multiple SIDs.
# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"

# You can take advantage of the fact that it's regular expressions and
# do more complex stuff. This example (for Snort_inline) adds a 'replace'
# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
#                "${1} replace:"\/foo\/sh";"

# If you for some reason would like to add a comment inside the actual 
# rules file, like the reason why you disabled this rule, you can do 
# like this (you would normally add such comments in oinkmaster.conf 
# though).
# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"

# Here is an example that is actually useful. Let's say you don't care 
# about incoming welchia pings (detected by SID 483 at the time of 
# writing) but you want to know when infected hosts on your network 
# scans hosts on the outside. (Remember that watching for outgoing 
# malicious packets is often just as important as watching for incoming 
# ones, especially in this case.) The rule currently looks like
# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
# but we want to switch that so it becomes
# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
# Here is how it could be done.
# modifysid 483 \
# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"

# The wildcard (modifysid * ...) can be used to do all kinds of 
# interesting things. The substitution expression will be applied on all 
# matching rules. First, a silly example to replace "foo" with "bar" in 
# all rules (that have the string "foo" in them, that is.) 
# modifysid * "foo" | "bar"

# If you for some reason don't want to use the stream preprocessor to 
# match established streams, you may want to replace the 'flow' 
# statement with 'flags:A+;' in all those rules.
# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"

# Example to convert all rules of classtype attempted-admin to 'drop' 
# rules (for Snort_inline only, obviously).
# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"

# This one will append some text to the 'msg' string for all rules that 
# have the 'tag' keyword in them.
# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
#             "${1}, going to tag this baby"${2}"

# There may be times when you want to replace multiple occurrences of a 
# certain keyword/string in a rule and not just the first one. To 
# replace the first two occurrences of "foo" with "bar" in SID 100, 
# simply repeat the modifysid statement:
# modifysid 100 "foo" | "bar"
# modifysid 100 "foo" | "bar"
 
# Or you can even specify a SID list but repeat the same SID as many 
# times as required, like:
# modifysid 100,100,100 "foo" | "bar"

# Enable all rules in the file exploit.rules.
# modifysid exploit.rules "^#" | ""

# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""



########################################################################
# SIDs that we don't want to update.                                   #
# If you for some reason don't want a specific rule to be updated      #
# (e.g. you made local modifications to it and you never want to       #
# update it and don't care about changes in the official version), you #
# can specify a "localsid" statement for it. This means that the old   #
# version of the rule (i.e. the one in the rules file on your          #
# harddrive) is always kept, regardless if the official version has    #
# been updated. Please do not use this feature unless in special       #
# cases as it's easy to end up with many signatures that aren't        #
# maintained anymore. See the FAQ for details about this and hints     #
# about better solutions regarding customization of rules.             #
#                                                                      #
# Syntax:  localsid SID                                                #
# or:      localsid SID1, SID2, SID3, ...                              #
########################################################################

# Example to never update SID 1325.
# localsid 1325



########################################################################
# SIDs to enable after each update.                                    #
# Will simply remove all the leading '#' for a specified SID (if it's  #
# a multi-line rule, the leading '#' for all lines are removed.)       #
# These will be processed after all the modifysid and disablesid       #
# statements. Using 'enablesid' on a rule that is not disabled is a    #
# NOOP.                                                                #
#                                                                      #
# Syntax:  enablesid SID                                               #
# or:      enablesid SID1, SID2, SID3, ...                             #
########################################################################

# Example to enable SID 1325.
# enablesid 1325



########################################################################
# SIDs to comment out, i.e. disable, after each update by placing a    #
# '#' in front of the rule (if it's a multi-line rule, it will be put  #
# in front of all lines).                                              #
#                                                                      #
# Syntax:  disablesid SID                                              #
# or:      disablesid SID1, SID2, SID3, ...                            #
########################################################################

# You can specify one SID per line.
# disablesid 1
# disablesid 2
# disablesid 3

# And also as comma-separated lists.
# disablesid 4,5,6

# It's a good idea to also add comment about why you disable the sid:
# disablesid 1324    # 20020101: disabled this SID just because I can