sagan 1.1.2-0.3 / etc / sagan.conf

#  ,-._,-.  Sagan configuration file [http://sagan.quadrantsec.com]
#  \/)"(\/  Champ Clark III & The Quadrant InfoSec Team: http://quadrantsec.com
#   (_o_)   Copyright (C) 2009-2014 Quadrant Information Security., et al.
#   /   \/)   
#  (|| ||)    
#   oo-oo     


##############################################################################
# Standard _required_ Sagan options!
##############################################################################

# Sagan reads log entries via a FIFO (First in/First Out).  This variable
# lets Sagan know where that FIFO is located. 
#
# [Required]

var FIFO /var/run/sagan/sagan.fifo

# This variable contains the path of the Sagan rule sets.  It is required.
#
# [Required]

var RULE_PATH /etc/sagan-rules

# Where Sagan should store it's lock file. 
#
# [Optional]

var LOCKFILE /var/run/sagan/sagan.pid

# Where Sagan should store alerts,  in a text/alert  format. 
#
# [Optional]

var ALERTLOG /var/log/sagan/alert

# This is the path where Sagan related files are stored.  For example,  
# Unified2 output files would be stored under this path.
#
# [Optional]

var SAGANLOGPATH /var/log/sagan

# This section defines commonly used ports and protocols.  Rules call these
# variable values.  This way,  you can change the port for the protocol here
# rather than changing it in the rule set. 

var SSH_PORT 22
var HTTP_PORT 80
var HTTPS_PORT 443
var TELNET_PORT 23
var DNS_PORT 53
var SNMP_PORT 161
var POP3_PORT 110
var IMAP_PORT 143
var SMTP_PORT 25
var MYSQL_PORT 3306
var MSSQL_PORT 1433
var NTP_PORT 123
var OPENVPN_PORT 1194
var PPTP_PORT 1723
var FTP_PORT 21
var RSYNC_PORT 873
var SQUID_PORT 3128

# This is the IP address _of_ the Sagan system.   These options are used
# if Sagan is unable to determine a TCP/IP network address and/or port.
#
# [Required]
  
sagan_host 192.168.0.1
sagan_port 514

# If logging to a Snort database and a rule specifies the
# protocol a "any",  this is the protocol we default to.  This is only
# needed if you are # logging to a Snort database. 
#
# Defaults to 17 [UDP],  which is what normal 'syslog' traffic is.  If you
# want TCP to be the desired effect,  change this option to "6". 
#
# [Optional]

; sagan_proto 17

# Disable DNS warnings.  Sagan will warn every time it has to do a DNS lookup
# when attempting to normalize a log entry.  You typically don't want to
# do DNS lookups with log analysis.  More information can be found at:
# https://wiki.quadrantsec.com/bin/view/Main/SaganDNS.  If it's not possible
# to gather the true TCP/IP address information,  you can supress these 
# warnings here.

; disable_dns_warnings

# README FIRST! - It is very LIKELY you do NOT want to enable this feature. 
# If the syslog system is feeding you "hostnames" rather than source IP 
# addresses,  Sagan can do a DNS lookup of the source host.   Sagan will cache
# this information,  but there will be a preformance hit.  Make _sure_
# your DNS system settings are correct!

; syslog_src_lookup

# This sets the max capacity of the pipe (FIFO).  The option is in bytes,  but
# must be must be between your systems page size and the limit defined in your
# /proc/sys/fs/pipe-max-size.  If you attempt to set a capacity below the page
# size,  it will be automatically rounded up.  As of Linux 2.6.35, the default
# pipe capacity is 65536 bytes with a maximum of 1048576 bytes.  
#
# A larger capacity pipe means there is more room for the logging daemon to 
# stuff data into which can positively affect Sagan performance.  Typical valid
# values are 65536, 131072, 262144, 524288, and 1048576.  Sagan defaults to 
# 1048576. 
 
; sagan_fifo_size 1048576

##############################################################################
# Shared memory resources
##############################################################################

# Sagan creates "memory mapped" files to keep track of flowbits, thresholds,
# and afters.  This allows Sagan to share information with other Sagan 
# processes.  For example,  if one Sagan instance is monitoring "Linux" logs
# and another is monitoring "Windows" logs, Sagan can communicate between
# the two Sagan processes using these memory mapped files.  A "flowbit" that
# is "set" by the "Linux" process accessable and "known" to the Windows 
# instance. 
#
# This also allows Sagan to "remember" threshold, flowbit and after data 
# between Sagan restarts (including system reboots!).
#
# The storage is pre-allocated when the memory mapped files are created. 
# The values can be increased at any time.  The default is 10000 elements
# per array. 

# Location for memory mapped files.  Defaults to /var/run/sagan

; ipc_directory /var/run/sagan

# Flowbit memory map file.

; flowbits 10000

# Thresholding memory map files.

; threshold_by_src 10000
; threshold_by_dst 10000
; threshold_by_username 10000

# After memory map files.

; after_by_src 10000
; after_by_dst 10000
; after_by_username 10000

# Track clients memory map file.

; track_clients 10000

##############################################################################
# Maximum processor threads. 
##############################################################################

# Maximum number of "processor" threads.  Processor threads are what do the
# analysis of the log lines.  Default = 50.

# [optional]

; max_processor_threads 100

##############################################################################
# The "ignore list" is a list of strings,  terms, etc that Sagan will 
# ignore if received.  If these terms are found,  then rule parsing and 
# processors or bypassed and the message is dropped.  This is useful for 
# when you have log messages repeating without any useful information and
# you don't want to burn CPU in analyzing them.
##############################################################################

; ignore_list: /etc/sagan-ignore-list.txt

##############################################################################
# Maxmind GeoIP2 support:  Sagan will need the --enable-geoip2 flag for this 
# support.  This allows Sagan to catagorize events by their country code.  
# For example; a rule can be created to track "authentication successes"
# and associate the country the successful login came from.  If the successful
# login is from outside your country code,  an alarm can be generated. 
#
# This can only be used with maxmind GeoIP2 databases.  Legacy "GeoIP" 
# databases will not function!a
#
# Free and paid databases can be foudn at:
#
# https://www.maxmind.com/en/geoip2-country-database  (For free/pay databases)
# http://dev.maxmind.com/geoip/geoip2/geolite2/ (free database)
#
# Country codes (ISO3166) can be found at:
# http://dev.maxmind.com/geoip/legacy/codes/iso3166/
#
# For more information about this feature,  see:
#
# https://quadrantsec.com/about/blog/detecting_adversary_with_sagan_geoip/
#
##############################################################################

; country_database: /usr/local/share/GeoIP2/GeoLite2-Country.mmdb
; var HOME_COUNTRY [US, CA]

##############################################################################
# Credit card prefix - The variable "CREDIT_CARD_PREFIXES" is used by some 
# rules to determine if a valid credit card has been passed.  This is used 
# in conjuction with some PoS (Point of Sales) rule sets.  For example,  the
# fipaypin.rules. 
##############################################################################

# The current credit card prefixes are United States centric.  You may want 
# to consider altering them for your usage.  More information on credit card
# prefixes can be found at:
#
# https://en.wikipedia.org/wiki/Bank_card_number#Issuer_identification_number_.28IIN.29
#
# Current enabled values:
# -----------------------
# Visa 					4
# American Express 			34, 37
# Diners Club Carte Blanche		300-305
# Diners Club enRoute 			2014, 2149
# Diners Club International		309, 36 ,38, 39
# Diners Club United States & Canada	54, 55
# Discover Card (shortened)		6011, 622126-622925, 644-649, 65
# InstaPaymet				636, 637, 638, 639
# Mastercard (shortened)		2221-2720, 51-55

; var CREDIT_CARD_PREFIXES [4,34,37,300,301,302,303,304,305,2014,2149,309,36,38,39,54,55,6011,6221,6222,6223,6224,6225,6226,6227,6228,6229,644,645,646,647,648,649,65,636,637,638,639,22,23,24,25,26,27,51,52,53,53,55]

##############################################################################
# RFC1918 prefixes.  Typically used with "meta_content" to determine if an
# IP addresses are RFC1918 or not. 
##############################################################################

; var RFC1918 [10.,192.168.,172.16.,172.17.,172.18.,172.19.,172.20.,172.21.,172.22.,172.23.,172.24.,172.25.,172.26.,172.27.,172.28.,172.29.,172.30.,172.31.]

##############################################################################
# The "WINDOWS_DOMAINS" variable.  This is used by some Windows rules to 
# determine if a log message contains,  or does not contain, a valid DOMAIN
# for your organization.  This can be used with rule options like
# meta_content. 
# 
# You can also load a list dynamically using the
# 
# var WINDOWS_DOMAINS file:/etc/example_file.txt
#
# For more information abou this feature,  see:
#
# https://quadrantsec.com/about/blog/detecting_pass_the_hash_attacks_with_sagan_in_real_time/
#
##############################################################################

; var WINDOWS_DOMAINS [MYCOMPANYDOMAIN, EXAMPLEDOMAIN, ANOTHER_DOMAIN]

##############################################################################
# Define variables used by the "aetas" rule sets.  These are time based 
# rules.  For example,  if a rule has:
#
# alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS;
#
# The signature will only fire between on $SAGAN_DAYS and $SAGAN_HOURS. 
# This is used to monitor logs for events that shouldn't normally happen
# "after hours".  For example,  administrator logins at "odd" times.
#
# Days - 0 = Sunday
#        6 = Saturday
#
# See https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference
# for more details
##############################################################################

; var SAGAN_HOURS 0700-1800
; var SAGAN_DAYS 12345

##############################################################################
# Microsoft "Sysinternals" PSExec MD5 sums.
##############################################################################

# psexec_v1.98, v2.00, v2.10, v2.11, v2.11 (2016)

var PSEXEC_MD5 [CD23B7C9E0EDEF184930BC8E0CA2264F0608BCB3,9A46E577206D306D9D2B2AB2F72689E4F5F38FB1,2EDEEFB431663F20A36A63C853108E083F4DA895,B5C62D79EDA4F7E4B60A9CAA5736A3FDC2F1B27E,A7F7A0F74C8B48F1699858B3B6C11EDA]

##############################################################################
# "sagan-track-clients" (Processor) - This processor keeps track of the
# systems reporting to Sagan.  If Sagan stops receiving logs from a client 
# for X number of minutes (client_timeout),  a alert is created.  When the
# system comes "back online",  another alert is created. 
# 
# client_timeout = Alert after this many minutes if no logs are received.
##############################################################################

; processor sagan-track-clients: client_timeout=1440

##############################################################################
# Perfmonitor processor - This processor writes statistical information 
# every X seconds (user defined) to a CSV file.  Good for keeping track
# of performance or generating graphs with RRDTool. Cannot be loaded via
# SIGHUP.  This must be enabled at run time.
##############################################################################

; processor perfmonitor: time=600 file=/var/log/sagan/stats/sagan.stats

##############################################################################
# Blacklist processor - This processor reads in a list of hosts/networks that 
# are considered "bad".  For example,  you might pull down a list like
# http://feeds.dshield.org/block.txt.  This list can then be loaded into 
# Sagan and _any_ log that contains an IP address from this list will 
# generate an alert.  The list uses a IP/CIDR format (for example:
# 192.168.1.0/24).  You can then create rules that will "look" for these
# blacklisted addresses.  You can supply multiple files by delimiting them
# by a comma
##############################################################################

; processor blacklist: /etc/sagan-rules/blacklist.txt

##############################################################################
# Bluedot processor - This processor extracts information from logs (URLs,
# file hashes, IP addresses) and queries the Quadrant Information Security 
# "Bluedot" Threat Intellegence database.  This is a closed database at this
# time.  Please contact Quadrant Information Security at +1-800-538-9357 or
# info@quadrantsec.com for more information.
#
# device_id  = Identification of the sensor making query.
# max_cache  = Number of items, per type (url, hash, filename, ip) to cache
#              in memory.
# catagories = Bluedot "catagories". 
# url = URL with API key to query the Quadrant Bluedot database
##############################################################################

; processor bluedot: device_id=SAGAN max_cache=300000 cache_timeout=120 catagories=/etc/sagan-rules/bluedot-catagories.conf url=http://bluedot.quadrantsec.com/q.php?qipapikey=APIKEY

# Bluedot "catagories" to monitor for. 

; var BLUEDOT_NETWORK [Malicious]

##############################################################################
# The Bro Intellegence framework
##############################################################################

# This processor allows Sagan to use data from the "Bro Intellegence 
# Framework".  Supply the Bro Intel files to the processor.  Delimit via 
# comma. 
#
# For more information about the Bro Intellegence Framework, 
# see: 
#
# https://quadrantsec.com/about/blog/using_sagan_with_bro_intelligence_feeds/
# http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
# https://www.bro.org/sphinx-git/frameworks/intel.html
#
# A great source for aggregate source of Bro Intellegence data,  see: 
#
# https://intel.criticalstack.com/
#
# More information about this Sagan processor can be found at at:
#
# https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference#bro_intel_src_ipaddr_dst_ipaddr
#
#
; processor bro-intel: /opt/critical-stack/frameworks/intel/master-public.bro.dat

##############################################################################
# External program/system calls configurations specifics
##############################################################################

# This option calls an external program when an event is triggered by a rule.
# Sagan basically makes a thread and calls the execl() system call.
# Data is supplied to the program being called via standard in (stdin). 

; output external: /home/sagan/myprogram

##############################################################################
# libesmtp (SMTP/E-mail) specific configuration options
##############################################################################

# If you'd like Sagan to e-mail triggered events to you,  then you'll want
# to configure the below.

# If min_email_priority is set,  then Sagan will _only_ e-mail events equal to
# or less than this priority event.  If left commented our or set to 0, 
# Sagan will e-mail _all_ events.  This option does _not_ over ride rules
# with the "email:" option set! 

; min_email_priority 5

# This is where alerts will be sent if a rule _does not_ have a "email:"
# option.  If a rule does have "email:" option,  then the rules e-mail address
# will over ride this option.  If this option is not set,  then only
# rules with the "email:" option will be sent. 

; send-to sagan-alerts@example.com

# Subject to prepend to the e-mail.   By default,  it is "[Sagan]". 

; email_subject "[Sagan Sensor Testing]"

# Server information.  This tells Sagan "who" to send e-mail as and where 
# the SMTP server to relay is.  This must be set if the "send-to" option
# set,  or you have rules with the "email:" option!
#
; output email: smtpserver=192.168.0.1:25 from=sagan-alert@example.com

##############################################################################
# Unified2 output plug in 
##############################################################################

# This lets Sagan log the Snort's 'Unified2' output format.  This allows 
# events generated by Sagan to be read and queued for external programs 
# like Barnyard2 (http://www.securixlive.com/barnyard2/).  Barnyard2 can 
# the record events in various formats (alert_fast,  log_ascii, 
# log_tcpdump,  Sguil,  MySQL,  PostgreSQL, ODBC, MS-SQL and Oracle). 

; output unified2: filename sagan.u2, limit 128

##############################################################################
# Sagan syslog "Sniffier" mode.  (PLOG). Promiscuous syslog injector
##############################################################################

# This lets Sagan "listen" on a network interface via pcap/bpf and "suck"
# up UDP syslog messages.  When it "finds" a syslog message within a packet,
# it injects it into /dev/log.  Basically,  it 'sniffs' syslog messages and
# injects them to your syslog daemon (for archival purposes) and Sagan
# (for analysis).  Good for environments you can't reconfigure syslog
# services. Cannot be loaded viaSIGHUP.  This must be enabled at run time.
#
# For more information,  see src/sagan-plog.c.

# Network interface to "sniff" traffic on.
; plog_interface eth0

# Syslog "port" to listen on...
; plog_filter "port 514"

# Where to inject "found" messages to.
; plog_logdev /dev/log

# If Sagan is listening/sniffing on a span/mirror port,  you'll want to 
# have Sagan put the device in "promiscuous mode".  Uncomment to enable
# that here.
#
; plog_promiscuous

#############################################################################
# Sagan "Snortsam" configuration. 
#############################################################################
#
# This allows Sagan to send block information Snortsam agents.  If a rule 
# has the fwsam: option in it,  the offending IP address can be 
# firewall/blocked. For example,  if a rule is triggered with the fwsam: 
# option,  Sagan can instruct a firewall (iptables/ebtable/pf/iwpf/Cisco/
# Checkpoint/etc) to firewall off the source or destination.
#
# In order for Sagan to send a blocking request to the SnortSam agent,
# that agent has to be listed, including the port it listens on,
# and the encryption key it is using. The statement for that is:
#
# output alert_fwsam: {SnortSam Station}:{port}/{password}
#
#  {SnortSam Station}: IP address or host name of the host where SnortSam is running.
#  {port}:             The port the remote SnortSam agent listens on.
#  {password}:         The password, or key, used for encryption of the
#                      communication to the remote agent.
#
# At the very least, the IP address or host name of the host running SnortSam
# needs to be specified. If the port is omitted, it defaults to TCP port 898.
# If the password is omitted, it defaults to a preset password.
# (In which case it needs to be omitted on the SnortSam agent as well)
#
# More than one host can be specified, but has to be done on the same line.
# Just separate them with one or more spaces.
#
# Examples:
#
# output alert_fwsam: firewall/idspassword
# output alert_fwsam: fw1.domain.tld:898/mykey
# output alert_fwsam: 192.168.0.1/borderfw  192.168.1.254/wanfw

; output alert_fwsam: 127.0.0.1/mypassword

#############################################################################
# Sagan syslog output
#############################################################################

# This allows Sagan to send alerts to syslog.   The syslog output format used
# is exactly the same of Snorts.  This means that your SIEMs Snort log 
# parsers should work with Sagan.  
#
# output syslog: {facility} {priority} {syslog options}
#
# Facilities: LOG_AUTH, LOG_AUTHPRIV, LOG_CRON, LOG_DAEMON, LOG_FTP, 
# LOG_INSTALL, LOG_KERN, LOG_LPR, LOG_MAIL, LOG_NETINFO, LOG_RAS,
# LOG_REMOTEAUTH, LOG_NEWS, LOG_SYSLOG, LOG_USER, LOG_UUCP, LOG_LOCAL0, 
# LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, 
# LOG_LOCAL7.
#
# Priorities: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING,
# LOG_NOTICE, LOG_INFO, LOG_DEBUG.
#
# Syslog options: LOG_CONS, LOG_NDELAY, LOG_PERROR, LOG_PID, LOG_NOWAIT.
#
# Default: LOG_AUTH LOG_ALERT LOG_PID
# 
# For more information, see:
#
# https://quadrantsec.com/about/blog/sagan_output_to_other_siems/

; output syslog: LOG_AUTH LOG_ALERT

##############################################################################
# Sagan rule sets! Arrgh Villains! Sagan neither takes nor gives mercy!
##############################################################################

# This should be enabled!  "classifications.config" allows correlation between
# a short name (for example,  "attempted-admin") and a priority level 
# (for example, "1").  "reference.config" gives your various places to learn
# more information pertaining to an alert. 

include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
include $RULE_PATH/gen-msg.map
include $RULE_PATH/protocol.map

#############################################################################
# Sagan normalization 'rule base'. (liblognorm)
#############################################################################

# Master normalization file for liblognorm. 

normalize_file: $RULE_PATH/normalization.rulebase

#############################################################################
# GeoIP Sagan rule sets
#############################################################################

# These rules rely on GeoIP information in order to function.  This means that
# Sagan needs to be compiled with Maxmind GeoIP support.   Otherwise these
# rules will not function. 

#include $RULE_PATH/cisco-geoip.rules
#include $RULE_PATH/fatpipe-geoip.rules
#include $RULE_PATH/fortinet-geoip.rules
#include $RULE_PATH/imapd-geoip.rules
#include $RULE_PATH/juniper-geoip.rules
#include $RULE_PATH/openssh-geoip.rules
#include $RULE_PATH/proftpd-geoip.rules
#include $RULE_PATH/riverbed-geoip.rules
#include $RULE_PATH/snort-geoip.rules
#include $RULE_PATH/ssh-tectia-server-geoip.rules
#include $RULE_PATH/windows-geoip.rules
#include $RULE_PATH/citrix-geoip.rules
#include $RULE_PATH/courier-geoip.rules
#include $RULE_PATH/riverbed-geoip.rules
#include $RULE_PATH/vmware-geoip.rules
#include $RULE_PATH/vsftpd-geoip.rules
#include $RULE_PATH/windows-owa-geoip.rules

#############################################################################
# Aetas Sagan rule sets
#############################################################################

# These rules are "time sensitive".  The rules detect what would be 
# normal events at abnormal times.  For example,  a Windows RDP sessions
# at 3:00 AM might be considered suspicious. 

#include $RULE_PATH/cisco-aetas.rules
#include $RULE_PATH/fatpipe-aetas.rules
#include $RULE_PATH/fortinet-aetas.rules
#include $RULE_PATH/juniper-aetas.rules
#include $RULE_PATH/openssh-aetas.rules
#include $RULE_PATH/proftpd-aetas.rules
#include $RULE_PATH/riverbed-aetas.rules
#include $RULE_PATH/ssh-tectia-server-aetas.rules
#include $RULE_PATH/windows-aetas.rules

#############################################################################
# Correlated rules
#############################################################################

# These are rules that depend on flowbit and more than one event to occur 
# before they are triggered.  You can think of these as "if A, B and C 
# events happen,  let's sound the alarm!". 

#include $RULE_PATH/cisco-correlated.rules
#include $RULE_PATH/citrix-correlated.rules
#include $RULE_PATH/courier-correlated.rules
#include $RULE_PATH/fatpipe-correlated.rules
#include $RULE_PATH/fortinet-correlated.rules
#include $RULE_PATH/imapd-correlated.rules
#include $RULE_PATH/openssh-correlated.rules
#include $RULE_PATH/ssh-tectia-server-correlated.rules
#include $RULE_PATH/vmware-correlated.rules
#include $RULE_PATH/vsftpd-correlated.rules
#include $RULE_PATH/windows-correlated.rules
#include $RULE_PATH/windows-owa-correlated.rules

#############################################################################
# Standard Sagan rule sets
#############################################################################

# These are the specific rule sets of events which are of interest and require
# notification.  Tailor these to your specific needs and check from time to 
# time for new rule sets that might be of benefit.
#
# It is _UNLIKELY_ you want to have _ALL_ rules enabled! 

include $RULE_PATH/adtran.rules
include $RULE_PATH/apache.rules
#include $RULE_PATH/apc-emu.rules
include $RULE_PATH/arp.rules
include $RULE_PATH/artillery.rules
include $RULE_PATH/asterisk.rules
include $RULE_PATH/attack.rules
include $RULE_PATH/bash.rules
include $RULE_PATH/bind.rules
include $RULE_PATH/blacklist.rules
#include $RULE_PATH/bluedot.rules
#include $RULE_PATH/bonding.rules
include $RULE_PATH/bro-ids.rules
include $RULE_PATH/bro-intel.rules
#include $RULE_PATH/cacti-thold.rules
#include $RULE_PATH/cisco-acs.rules
#include $RULE_PATH/cisco-blacklist.rules
#include $RULE_PATH/cisco-brointel.rules
#include $RULE_PATH/cisco-cucm.rules
#include $RULE_PATH/cisco-ios.rules
#include $RULE_PATH/cisco-malware.rules
#include $RULE_PATH/cisco-pixasa.rules
#include $RULE_PATH/cisco-prime.rules
#include $RULE_PATH/cisco-sdee.rules
#include $RULE_PATH/cisco-wlc.rules
include $RULE_PATH/citrix-blacklist.rules
#include $RULE_PATH/citrix-bluedot.rules
include $RULE_PATH/citrix-brointel.rules
include $RULE_PATH/citrix.rules
include $RULE_PATH/courier.rules
include $RULE_PATH/cylance.rules
include $RULE_PATH/deleted.rules
include $RULE_PATH/digitalpersona.rules
include $RULE_PATH/dovecot.rules
include $RULE_PATH/fatpipe.rules
include $RULE_PATH/fortinet-malware.rules
include $RULE_PATH/fortinet.rules
include $RULE_PATH/ftpd.rules
include $RULE_PATH/grsec.rules
include $RULE_PATH/honeyd.rules
include $RULE_PATH/hordeimp.rules
include $RULE_PATH/hostapd.rules
include $RULE_PATH/huawei.rules
include $RULE_PATH/imapd.rules
include $RULE_PATH/ipop3d.rules
include $RULE_PATH/juniper.rules
include $RULE_PATH/kismet.rules
include $RULE_PATH/knockd.rules
include $RULE_PATH/linux-kernel.rules
include $RULE_PATH/milter.rules
include $RULE_PATH/mongodb.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/nexpose.rules
include $RULE_PATH/nfcapd-malware.rules
include $RULE_PATH/nfcapd.rules
include $RULE_PATH/nginx.rules
include $RULE_PATH/ntp.rules
include $RULE_PATH/openssh.rules
include $RULE_PATH/openvpn.rules
include $RULE_PATH/oracle.rules
#include $RULE_PATH/ossec-mi.rules
include $RULE_PATH/ossec.rules
include $RULE_PATH/php.rules
include $RULE_PATH/postfix.rules
include $RULE_PATH/postgresql.rules
include $RULE_PATH/pptp.rules
include $RULE_PATH/procurve.rules
include $RULE_PATH/proftpd.rules
include $RULE_PATH/proxy-malware.rules
include $RULE_PATH/pure-ftpd.rules
include $RULE_PATH/racoon.rules
include $RULE_PATH/riverbed.rules
include $RULE_PATH/roundcube.rules
include $RULE_PATH/rsync.rules
include $RULE_PATH/samba.rules
#include $RULE_PATH/sendmail.rules
include $RULE_PATH/snort.rules
#include $RULE_PATH/solaris.rules
#include $RULE_PATH/sonicwall.rules
include $RULE_PATH/squid.rules
include $RULE_PATH/ssh-tectia-server.rules
include $RULE_PATH/su.rules
include $RULE_PATH/symantec-ems.rules
include $RULE_PATH/syslog.rules
include $RULE_PATH/tcp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/tripwire.rules
include $RULE_PATH/vmpop3d.rules
include $RULE_PATH/vmware.rules
include $RULE_PATH/vpopmail.rules
include $RULE_PATH/vsftpd.rules
include $RULE_PATH/web-attack.rules
include $RULE_PATH/weblabrinth.rules
#include $RULE_PATH/windows-applocker.rules
#include $RULE_PATH/windows-auth.rules
#include $RULE_PATH/windows-blacklist.rules
#include $RULE_PATH/windows-bluedot.rules
#include $RULE_PATH/windows-brointel.rules
#include $RULE_PATH/windows-emet.rules
#include $RULE_PATH/windows-malware.rules
#include $RULE_PATH/windows-misc.rules
#include $RULE_PATH/windows-mssql.rules
#include $RULE_PATH/windows-owa-blacklist.rules
#include $RULE_PATH/windows-owa-bluedot.rules
#include $RULE_PATH/windows-owa-brointel.rules
#include $RULE_PATH/windows-owa.rules
#include $RULE_PATH/windows.rules
include $RULE_PATH/wordpress.rules
include $RULE_PATH/xinetd.rules
include $RULE_PATH/zeus.rules