# this is the configuration file for SISR, part of SnortSnarf (http://www.SiliconDefense.com/snortsnarf/; hoagland@SiliconDefense.com) # for more information about this file, see README.SISR # labeled set database file set-db-loc: /path/to/labsetdb.xml # incident database file inc-db-loc: /path/to/incdb.xml # SnortSnarf annotations file ann-db-loc: /path/to/anns.xml # directory containing your mail templates report-tmpl-dir-mail: /path/to/mailtempl # the default set name or a file to get it from set-name-default: labeledset #set-name-default: /path/to/setname.txt # module path to give to Pipeline, should include dirs for HFPM and SISR modules module-path: /path/to/hfpm/modules /path/to/sisr/modules # you probably want to leave the rest of this file as is until you decide to define additional incident fields # these are the fields you have defined for your incidents ifield sip: Source IP address(es) ifield dip: Destination IP address(es) ifield dnet: Destination /24 network(s) ifield sport: Source port(s) ifield dport: Destination port(s) ifield proto: Protocol ifield flags: Flags ifield starttime: Time of first event ifield endtime: Time of last event ifield semails: Source IP e-mail addresses ifield creatoremail: Your e-mail address # this is the pipeline to auto-fill some of these fields inc-field-calc-pipe: set_field_summation.pl %events PROTOCOL $proto | set_field_summation.pl %events SRCIP $sip | set_field_summation.pl %events SRCPORT $sport | set_field_summation.pl %events DESTIP $dip | set_field_summation.pl %events DESTPORT $dport | set_flags.pl %events $flags | nets_from_ips.pl $dip $dnet 24 | earliest_latest_times.pl %events $starttime $endtime | whois_lookup.pl $sip $semails