#### ******* SAMPLE CONF FILE FOR TESTING AND DOC *******************
# Here we define the interface which we will block incoming offending
# packets (for example, the external interface on your firewall). This
# is not used in the default iptables EXTBLOCK chain setup and you can 
# set it to be any interface.
Interface       eth0

# Guardian's log file. The logs go to syslog if this is not defined.
#LogFile         /var/log/guardian.log

# Snort's alert files. This can be the snort.alert file, or a syslog file.
# Multiple log files with wildcard are supported.
AlertFiles       /var/log/messages /var/log/secure

# The list of ip addresses or hostnames (as perl regexes) to ignore
IgnoreFile      /etc/guardian.ignore

# The default time in seconds to keep a host blocked. If undefined, it
# defaults to 3600. 
#TimeLimit	120

# The maximum number of blocks we can have at any time. When the limit is
# reached, the entries with the highest percentages of blocked time will 
# be removed and those hosts unblocked. Default is 100.
MaxBlocks 20

# The filename for the list of rules to match with and the corresponding actions. 
# Each active line in the file must be of the form:
#
#     log_regex  +++ count/second ==> action  seconds
# or
#     Override: host_regex  +++ count/second ==> action  seconds
# or
#     Track: log_regex  +++ count/second ==> action  seconds
#
# where 'log_regex' is the perl regex matches the lines we are looking for; the
# match stops for the current line whenever we have a match. The regex can be 
# followed by optional '; src=src_regex' if you need to supply your own way to
# match for the source host IP/name. The 'src_regex' must contain a (pattern)
# for matching host IP/name itself. Others are: '; sport=regex' for source port,
# '; dst=regex' for dest IP/name, '; dport=regex' for dest port. These are optional;
# not needed if you are just watch snort related logs. They might be useful if
# you run the command with '-a' option to watch for logs from other services.
# Another optional pattern is '; tag=string' which can be used to assign a tag to
# your rule so you can use that info in your customized blocking scripts for finer
# control like blocking only 1 port for some rule or host. You can use the $* 
# variables described below in your tag to pass along more info to your script.
# 'count/second' is the frequency the regex occurs; for example, 5/30 means at 
# least 5 matches within the last 30 seconds before the rule is triggered. 5/0 or
# 5 means wait for at least 5 matches forever. The default is to trigger the 
# rule on every match. 'count' can be appended with a 'H' or 'P' to match 
# 'count' number of hosts or ports. A rule can have *multiple* 'count/second' for 
# multi-level thresholds. 'action' is the action to take: DROP, LOG,
# NOOP, ECHO, BELL, and any other system command string enclosed in quotes 
# (the quotes are optional if either the string does not end with a digit or 
# the 'seconds' part is not missing, or not used to group args). The default action
# is DROP and LOG. Set it to LOG for debug and test. The system command
# string starts with the command itself followed by at least one argument. A shell
# is used if the command string contains any of shell special chars: &;`|<>. The
# matching lines will be piped to your command as stdin if it starts with a '|'.
# The arguments can contain the special variables: $_ for the whole matched line,
# $0 for only the matched part of the line, $1,$2,etc for any subpatterns in your 
# regex, or $sec for the 'seconds' of the 'action', or $src for source host, 
# $dst for dest host, and $rn for the unqiue rule number, $tag, etc.  
# 'seconds' is the number of seconds to block the IP for 
# (or the number of seconds to wait before next action, as a throttle), and it 
# defaults to TimeLimit above; it can be appened with s,m,h,d,y for second,minute,
# hour,day,year. If 'seconds' is 1, action will be performed for each occurance.
# Other than the 'log_regex' and '+++', '===>' marks, others are optional.
# The 2nd form can be used to override a rule or all the rules for hosts matching
# the special 'host_regex', in which the usual shell wildcards: * ? ^ $ [ - ] can
# be used to match ip# or hostnames. The special '__IgnorehostDefault__' can be used
# to override rules for the default ignored hosts (web, dns, smtp, proxy servers in
# the .com/.edu/.org domains. If the 'host_regex' prefixed with '->', it matches
# the dest host instead. Prefix a regex with ! to invert the match.
# The 3rd form is used to track any log entries related to a host which has been 
# blocked by the rule above. For 'Track', the 'seconds' is how long to track the hosts for.
# For example, when a remote host was blocked because of 
# portscan, you can use this form to log if anyone from that host has ssh'ed to your 
# hosts within 1 week after being blocked. You can have more than one tracks attached
# to one rule. Any 'Override:' after 'Track:' line will modify the 'Track:' instead.
# 'Track:'s in the global section apply to all existing rules.
#
# Examples: 
#
#           \[Priority: 1\]: +++ 3/60 ==> 234
#           Override: .duke.edu +++ ==>myblock $src 'for $0' 83
#
# Additionally, each rule or track can be followed by any number of blocks of raw
# perl code delimited by 'perl:' and 'end;' on their own lines; which will be evaluated 
# on each match and whose return status further determines if the matched incident will
# contribute to the triggering of the action: yes if true (non-zero in perl). 
# In the perl code, you can use the pre-defined variables such as $src, $0, etc, but in the 
# special form ${src}, ${0}, etc. Moreover, a perl code block delimited by 'final:' and 'end;'
# will be run right before the action is performed. Please note perl code in the global section
# will be attached to all rules and tracks. AND perl code defined before all the rules
# will be run right after the program first initialized.
#
RuleFile      /etc/guardian.rule

# Optional external command file. This file holds blocking commands from any external
# sources, e.g., central syslog servers. Write to this file to initiate blocking.
# Each line is of the format:
#   Action  SourceIP  SecondsToBlock  Message
# where 'Action' can only be one of DROP, LOG, NOOP.
# Example: DROP 1.2.3.4 28800 possible rooted host
CommandFile       /etc/guardian.cmd

# Optional command to run periodically to get the list of the currently
# blocked (DROP) hosts from your central firewall or log server, and apply
# your global 'Trak' rules to them. No effect if there are no global 'Trak' rules.
# "guardian" in the example below is a simple script which basically cat
# the content of /tmp/guardian.out on your firewall.
#PullCommand      ssh -nxa guardian@firewall.domain "guardian"
PullCommand      echo "4.3.2.1\nOK"
PullInterval     60m