# this is the configuration file for SISR, part of SnortSnarf (http://www.SiliconDefense.com/snortsnarf/; hoagland@SiliconDefense.com)
# for more information about this file, see README.SISR

# labeled set database file
set-db-loc: /path/to/labsetdb.xml
# incident database file
inc-db-loc: /path/to/incdb.xml
# SnortSnarf annotations file
ann-db-loc: /path/to/anns.xml
# directory containing your mail templates
report-tmpl-dir-mail: /path/to/mailtempl
# the default set name or a file to get it from
set-name-default: labeledset
#set-name-default: /path/to/setname.txt
# module path to give to Pipeline, should include dirs for HFPM and SISR modules
module-path: /path/to/hfpm/modules /path/to/sisr/modules

# you probably want to leave the rest of this file as is until you decide to define additional incident fields

# these are the fields you have defined for your incidents
ifield sip: Source IP address(es)
ifield dip: Destination IP address(es)
ifield dnet: Destination /24 network(s)
ifield sport: Source port(s)
ifield dport: Destination port(s)
ifield proto: Protocol
ifield flags: Flags
ifield starttime: Time of first event
ifield endtime: Time of last event
ifield semails: Source IP e-mail addresses
ifield creatoremail: Your e-mail address
# this is the pipeline to auto-fill some of these fields
inc-field-calc-pipe: set_field_summation.pl %events PROTOCOL $proto | set_field_summation.pl %events SRCIP $sip | set_field_summation.pl %events SRCPORT $sport | set_field_summation.pl %events DESTIP $dip | set_field_summation.pl %events DESTPORT $dport | set_flags.pl %events $flags | nets_from_ips.pl $dip $dnet 24 | earliest_latest_times.pl %events $starttime $endtime | whois_lookup.pl $sip $semails