mentat-inspector-c.py.conf 7.01 KiB
#-------------------------------------------------------------------------------
#
# EXAMPLE CONFIGURATION FILE FOR MENTAT-INSPECTOR.PY MODULE
#
#-------------------------------------------------------------------------------
{
#---------------------------------------------------------------------------
# Custom daemon configurations
#---------------------------------------------------------------------------
# List of the inspection rules. The rules will be processed in
# following order.
"inspection_rules": [
{
# OPTIONAL name for the rule, should be short and will be
# used as title in log files and email reports. When not set,
# this defaults to "rule" (see further below).
"name": "Example commented rule",
# OPTIONAL description for the rule. This may be much longer
# text and it should describe a purpose of the rule. Description
# will appear in email reports, so it may also contain hints
# for recipients as how to handle the report.
"description": "This rule should really not match any of your alerts",
# MANDATORY rule expression. Sadly, currently there is no
# documentation of the filtering language, please see the
# files in mentat.filtering package. The language is fairly
# simple and all common logical, comparison and math operators
# are available. NOTE: This is only example rule, "0 AND" will
# never be True.
"rule": "0 AND Category EQ \"Recon.Scanning\"",
# Fallback rule, mathing all alerts may be created with following trick:
#"rule": "1",
# OPTIONAL final flag, defaults to False. When set to True,
# mathing rule will make the inspection stop after this rule,
# otherwise next inspection rule will be evaluated.
"final": false,
# OPTIONAL enabled flag, defaults to True. When set to False,
# the rule will be disabled from processing.
"enabled": true,
# MANDATORY actions list, may be empty. This should containing
# all actions to be processed upon matching the rule.
#
# WARNING: ALL ARGUMENTS FOR ANY PARTICULAR ACTION ARE MANDATORY.
"actions": [
# Tag given message at given path with given static value.
{"action": "tag", "args": {"path": "TestA.ValueA1", "value": "Recon alert", "overwrite": true, "unique": false}},
# Set given message at given path with result of given expression.
{"action": "set", "args": {"path": "TestA.ValueA2", "expression": "CreateTime + 3600", "overwrite": true, "unique": false}},
# Send given message as email report to given email.
{"action": "report", "args": {"to": "recipient@organization.com", "from": "sender@organization.com", "subject": "Inspection alert", "report_type": "inspection_alert"}},
# Duplicate (copy) given message into another queue.
{"action": "duplicate", "args": {"queue_tgt": "/var/tmp"}},
# Dispatch (move) given message into another queue.
# IMPORTANT: This rule will stop further processing of
# current message.
{"action": "dispatch", "args": {"queue_tgt": "/var/tmp"}},
# Stop processing of given message and drop it from queue.
# IMPORTANT: This rule will stop further processing of
# current message.
{"action": "drop"},
# Logging action, usefull mostly for debugging and testing purposes.
{"action": "log", "args": {"label": "User description"}}
]
},
# Example of minimal configuration:
{
"rule": "0 AND Category EQ \"Attempt.Exploit\"",
"actions": [
{"action": "tag", "args": {"path": "TestA.ValueA1", "value": "Exploit alert"}}
]
},
# Fallback, or catch-all rule, that is matching all alerts, may
# be created with following trick:
{
"name": "Fallback rule",
"description": "Fallback rule matching all alerts, currently disabled by configuration",
"rule": "1",
"enabled": false,
"actions": [
{"action": "tag", "args": {"path": "Test.Value", "value": "Fallback action"}}
]
}
],
# List of fallback actions, that will be performed with given message
# in case it does NOT match any of the inspection rules.
"fallback_actions": [
# Perhaps make copy of unknown alert to separate folder for further inspection?
#{"action": "duplicate", "args": {"queue_tgt": "/var/mentat/spool/..."}}
# Perhaps just log the thing into the log file
{"action": "log", "args": {"label": "User description for fallback action"}}
],
#---------------------------------------------------------------------------
# Common piper daemon configurations
#---------------------------------------------------------------------------
# Name of the input queue directory.
# default: "mentat-inspector-c.py"
# type: string
#
#"queue_in_dir": "mentat-inspector-c.py",
# Name of the output queue directory.
# default: null
# type: string
#
"queue_out_dir": "mentat-enricher.py",
# Limit on the number of the files for the output queue directory.
# default: 5000
# type: integer
#
#"queue_out_limit": 10000,
# Waiting time when the output queue limit is reached in seconds.
# default: 10
# type: integer
#
#"queue_out_wait": 30,
#---------------------------------------------------------------------------
# Common daemon configurations
#---------------------------------------------------------------------------
#"no_daemon": false,
#"chroot-dir": null,
#"work_dir": "/",
#"pid_file": "/var/mentat/run/mentat-inspector-c.py.pid",
#"state_file": "/var/mentat/run/mentat-inspector-c.py.state",
#"umask": "0o002",
#"stats_interval": 300,
#"paralel": false,
#---------------------------------------------------------------------------
# Common application configurations
#---------------------------------------------------------------------------
#"quiet": false,
#"verbosity": 0,
#"log_file": "/var/mentat/log/mentat-inspector-c.py.log",
#"log_level": "info",
#"runlog_dir": "/var/mentat/run/mentat-inspector-c.py",
#"runlog_dump": false,
#"runlog_log": false,
#"pstate_file": "/var/mentat/run/mentat-inspector-c.py.pstate",
#"pstate_dump": false,
#"pstate_log": false,
#"action": null,
#"user": "mentat",
#"group": "mentat",
# This is a dummy last configuration so that the user does not have to fix
# the commas in the whole configuration file after each change.
"_dummy_": "_dummy_"
}