merge files from the blockchain infra repo (#59)

code/chef/files/default/classification.config

@@ -0,0 +1,68 @@
+# $Id$
+# classification.config taken from Snort 2.8.5.3. Snort is governed by the GPLv2
+#
+# The following includes information for prioritizing rules
+#
+# Each classification includes a shortname, a description, and a default
+# priority for that classification.
+#
+# This allows alerts to be classified and prioritized.  You can specify
+# what priority each classification has.  Any rule can override the default
+# priority for that rule.
+#
+# Here are a few example rules:
+#
+#   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
+#	dsize: > 128; classtype:attempted-admin; priority:10;
+#
+#   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
+#	      content:"expn root"; nocase; classtype:attempted-recon;)
+#
+# The first rule will set its type to "attempted-admin" and override
+# the default priority for that type to 10.
+#
+# The second rule set its type to "attempted-recon" and set its
+# priority to the default for that type.
+#
+
+#
+# config classification:shortname,short description,priority
+#
+
+config classification: not-suspicious,Not Suspicious Traffic,3
+config classification: unknown,Unknown Traffic,3
+config classification: bad-unknown,Potentially Bad Traffic, 2
+config classification: attempted-recon,Attempted Information Leak,2
+config classification: successful-recon-limited,Information Leak,2
+config classification: successful-recon-largescale,Large Scale Information Leak,2
+config classification: attempted-dos,Attempted Denial of Service,2
+config classification: successful-dos,Denial of Service,2
+config classification: attempted-user,Attempted User Privilege Gain,1
+config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
+config classification: successful-user,Successful User Privilege Gain,1
+config classification: attempted-admin,Attempted Administrator Privilege Gain,1
+config classification: successful-admin,Successful Administrator Privilege Gain,1
+
+
+# NEW CLASSIFICATIONS
+config classification: rpc-portmap-decode,Decode of an RPC Query,2
+config classification: shellcode-detect,Executable code was detected,1
+config classification: string-detect,A suspicious string was detected,3
+config classification: suspicious-filename-detect,A suspicious filename was detected,2
+config classification: suspicious-login,An attempted login using a suspicious username was detected,2
+config classification: system-call-detect,A system call was detected,2
+config classification: tcp-connection,A TCP connection was detected,4
+config classification: trojan-activity,A Network Trojan was detected, 1
+config classification: unusual-client-port-connection,A client was using an unusual port,2
+config classification: network-scan,Detection of a Network Scan,3
+config classification: denial-of-service,Detection of a Denial of Service Attack,2
+config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
+config classification: protocol-command-decode,Generic Protocol Command Decode,3
+config classification: web-application-activity,access to a potentially vulnerable web application,2
+config classification: web-application-attack,Web Application Attack,1
+config classification: misc-activity,Misc activity,3
+config classification: misc-attack,Misc Attack,2
+config classification: icmp-event,Generic ICMP event,3
+config classification: kickass-porn,SCORE! Get the lotion!,1
+config classification: policy-violation,Potential Corporate Privacy Violation,1
+config classification: default-login-attempt,Attempt to login by a default username and password,2

code/chef/files/default/reference.config

@@ -0,0 +1,25 @@
+# config reference: system URL
+
+config reference: bugtraq   http://www.securityfocus.com/bid/
+config reference: bid        http://www.securityfocus.com/bid/
+config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
+config reference: cve       http://cvedetails.com/cve/
+config reference: secunia   http://www.secunia.com/advisories/
+config reference: arachNIDS http://www.whitehats.com/info/IDS
+
+config reference: McAfee    http://vil.nai.com/vil/content/v_
+config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
+config reference: url       http://
+config reference: et        http://doc.emergingthreats.net/
+config reference: etpro     http://doc.emergingthreatspro.com/
+config reference: telus     http://
+config reference: osvdb     http://osvdb.org/show/osvdb/
+config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
+config reference: md5        http://www.threatexpert.com/report.aspx?md5=
+config reference: exploitdb http://www.exploit-db.com/exploits/
+config reference: openpacket https://www.openpacket.org/capture/grab/
+config reference: securitytracker http://securitytracker.com/id?
+config reference: secunia   http://secunia.com/advisories/
+config reference: xforce    http://xforce.iss.net/xforce/xfdb/
+config reference: msft      http://technet.microsoft.com/security/bulletin/
+

code/chef/files/default/suricata_logrotate

@@ -0,0 +1,33 @@
+/var/log/suricata/*.log
+{
+    weekly
+    missingok
+    create
+    sharedscripts
+    postrotate
+            /bin/kill -HUP $(cat /var/run/suricata.pid)
+    endscript
+    delaycompress
+    copytruncate
+    compresscmd /usr/bin/pigz
+    compress
+    dateext
+    notifempty
+}
+
+/var/log/suricata/eve.json
+{
+    weekly
+    missingok
+    create
+    sharedscripts
+    postrotate
+            /bin/kill -HUP $(cat /var/run/suricata.pid)
+    endscript
+    rotate 32
+    delaycompress
+    compresscmd /usr/bin/pigz
+    compress
+    dateext
+    notifempty
+}

code/chef/files/default/threshold.config

@@ -0,0 +1,32 @@
+# Thresholding:
+#
+# This feature is used to reduce the number of logged alerts for noisy rules.
+# Thresholding commands limit the number of times a particular event is logged
+# during a specified time interval.
+#
+# The syntax is the following:
+#
+# threshold gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
+#
+# event_filter gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
+#
+# suppress gen_id <gid>, sig_id <sid>
+# suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|subnet>
+#
+# The options are documented at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
+#
+# Please note that thresholding can also be set inside a signature. The interaction between rule based thresholds
+# and global thresholds is documented here:
+# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds#Global-thresholds-vs-rule-thresholds
+
+# Limit to 10 alerts every 10 seconds for each source host
+#threshold gen_id 0, sig_id 0, type threshold, track by_src, count 10, seconds 10
+
+# Limit to 1 alert every 10 seconds for signature with sid 2404000
+#threshold gen_id 1, sig_id 2404000, type threshold, track by_dst, count 1, seconds 10
+
+# Avoid to alert on f-secure update
+# Example taken from http://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/
+#suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25
+#suppress gen_id 1, sig_id 2012086, track by_src, ip 217.110.97.128/25
+#suppress gen_id 1, sig_id 2003614, track by_src, ip 217.110.97.128/25