# $Id: template-examples.conf,v 1.9 2006/01/29 14:54:58 andreas_o Exp $ #

# Disclaimer:
# DO NOT USE THIS FILE DIRECTLY. The templates in here are only 
# quick examples just to give you some ideas and are subject to be 
# changed/deleted in future releases. If there is a template you want 
# to use, review if carefully and put it in your own oinkmaster.conf (or 
# your own templates.conf or whatever) instead of using this file 
# directly. If you create your own templates and want them added to 
# this file, please send them to me.
# For more information about templates, see README.templates.


# Here are a bunch of sample template definitions, later followed by 
# examples how to use them.

# Tag by src for 10 seconds by adding the string 
# "tag: host,src,10,seconds;" right after the SID statement.
define_template add_src_tagging \
  "\b(sid\s*:\s*\d+\s*;)" | \
  "${1} tag: host,src,10,seconds;"

# If you want to append stuff at the very end of a rule, you could do 
# something like this:
# define_template add_src_tagging \
#  "\)\n$" | \
#  "tag: host,src,10,seconds;)\n"


# Take text given as argument and append it to the rule's "msg" string.
define_template append_msg \
  "\b(msg\s*:\s*".+?)"\s*;+s*" | \
  "${1}%ARG1%";"


# Add thresholding of type "both", count 30, seconds 60.
define_template add_threshold \
  "\b(sid\s*:\s*\d+\s*;)" | \
  "${1} threshold:type both,track by_dst,count 30,seconds 60;"


# Add by_dst thresholding with values for count and seconds given
# as arguments when using the template.
define_template add_threshold_with_values \
  "\b(sid\s*:\s*\d+\s*;)" | \
  "${1} threshold:type both,track by_dst,count %ARG1%,seconds %ARG2%;"


# Change classtype to the one specified as argument.
define_template change_classtype \
  "\bclasstype\s*:\s*\S+\s*;" | \
  "classtype:%ARG1%;"


# Convert an active alert rule to a drop rule
define_template make_drop "^alert\s" | "drop "


# Remove "flow" statement.
define_template remove_flow "flow\s*:\s*[a-z,_ ]+;" | ""


# Comment out rules containing a certain option.
define_template disable_by_keyword "(.*\b%ARG1%\s*:.+;.*)" | "#${1}"


# Switch $EXTERNAL_NET/$HOME_NET in a rule watching for stuff from 
# $EXTERNAL_NET to $HOME_NET, so it becomes $HOME_NET to $EXTERNAL_NET.
define_template check_outgoing \
  "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
  "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"


# Switch $EXTERNAL_NET/$HOME_NET in a rule watching for stuff from
# $HOME_NET to $EXTERNAL_NET, so it becomes $EXTERNAL_NET to $HOME_NET.
define_template check_incoming \
  "(.+) \$HOME_NET (.+) \$EXTERNAL_NET (.+)" | \
  "${1} \$EXTERNAL_NET ${2} \$HOME_NET ${3}"


# Make source and destination address specifications in an alert rule
# become "any", regardless of their current values.
define_template src_dst_any_any \
  "^(alert\s+\S+)\s+\S+\s+(.*?>)\s+\S+" | "${1} any ${2} any"


# Just like disablesid but also add a comment line before the disabled 
# rule.
define_template disable_with_comment \
  "^alert\s" | "# Rule disabled by Oinkmaster, reason=%ARG1%:\n#alert "


# Delete an active rule by removing it from the file completely.
define_template delete_rule \
  "^alert\s.+$" | ""


# Tag by src for the number of seconds given as argument. Also include 
# this number in a string appended to the rule's msg.
define_template tag_src_and_append_msg \
  "^(\s*alert\s+.+\bmsg\s*:\s*".+?)"\s*;+s*(.*)\b(sid\s*:\s*\d+\s*;)" | \
  "${1}, tagging for %ARG1% seconds";${2}${3} tag: host,src,%ARG1%,seconds;"


# This is a template to disable a rule only if it has a specific 
# revision. Very useful if you want to temporarily disable a rule 
# because of false positives and you want to start using the rule again
# as soon as it is updated (i.e. when the "rev" keyword changes).
# The revision is specified as argument when using the template.
define_template disablesid_rev "(.+\brev\s*:\s*%ARG1%\s*;.*)" | "#${1}"



# Now some examples how to use the above templates.


# Add tagging by src to SID 1324.
# use_template add_src_tagging 1324


# Append the string " - added text!" to the msg of SID 1324.
# use_template append_msg 1324 " - added text!"


# Add thresholding with values hardcoded into the add_threshold template.
# use_template add_threshold 1326


# Add thresholding with count value given as first argument
# and seconds value given as second argument.
# use_template add_threshold_with_values 1326 "10" "30"


# Change the classtype to "some-other-classtype" in SID 1324 and 1325.
# use_template change_classtype 1324,1325 "some-other-classtype"


# Make SID 1324 a drop rule.
# use_template make_drop 1324


# Make all rules in exploit.rules to be drop rules.
# use_template make_drop exploit.rules


# Remove the "flow" statement from SID 1324.
# use_template remove_flow 1324


# Disable all rules that are using the "uricontent" keyword.
# use_template disable_by_keyword * "uricontent"


# Reverse $EXTERNAL_NET and $HOME_NET in SID 1324 to watch only
# for outgoing attacks of this kind. 
# use_template check_outgoing 1324


# Make both src and dst "any" in SID 1326.
# use_template src_dst_any_any 1326


# Disable rule 1323, and also add a comment line above it
# in the rules file.
# use_template disable_with_comment 1323 "I don't like this rule"


# Add 60 seconds tagging to SID 528, and also add this
# information to its msg string.
# use_template tag_src_and_append_msg 528 "60"


# This will delete (not disable) the SIDs 1323, 1324 and 1326.
# use_template delete_rule 1323, 1324, 1326


# This will delete ALL active rules. Not a very useful example :)
# use_template delete_rule *


# Disable SID 1324, but only if the revision (the "rev" keyword) is 3.
# use_template disablesid_rev 1324 "3"