diff options
Diffstat (limited to 'ruleset.conf.sample')
-rw-r--r-- | ruleset.conf.sample | 31 |
1 files changed, 18 insertions, 13 deletions
diff --git a/ruleset.conf.sample b/ruleset.conf.sample index cde5f5b..c8909a9 100644 --- a/ruleset.conf.sample +++ b/ruleset.conf.sample @@ -2,15 +2,23 @@ # Peekaboo ruleset configuration file # Copyright (C) 2016-2019 science + computing ag # -# rule specific configuration options -# the section name equals the name of the rule -# - -[known] -# if not specified the default is enabled : yes -enabled : yes +# list of rules to run on samples +[rules] +rule.1 : known +rule.2 : file_larger_than +rule.3 : file_type_on_whitelist +rule.4 : file_type_on_greylist +rule.5 : cuckoo_evil_sig +rule.6 : cuckoo_score +rule.7 : office_macro +#rule.8 : requests_evil_domain +rule.9 : cuckoo_analysis_failed +#rule.10 : contains_peekabooyar +rule.11 : final_rule +# rule specific configuration options +# the section name equals the name of the rule #[file_larger_than] # defaults: #bytes : 5 @@ -113,15 +121,10 @@ signature.43 : Wscript.exe initiated network communications indicative of a scri #higher_than : 4.0 [requests_evil_domain] -enabled : no # define a list of bad domains here domain.1 : canarytokens.com -# this rule is for testing only, so it is disabled by default -[contains_peekabooyar] -enabled : no - -[cuckoo_analysis_failed] +#[cuckoo_analysis_failed] # This rule checks whether analysis by Cuckoo failed. If so, it reports a # result of "failed" for this sample and aborts rule processing. In case of # success, result "unknown" is returned (because successful analysis in itself @@ -153,5 +156,7 @@ enabled : no #failure.1: end of analysis reached! # rules without configuration options: +# - known +# - contains_peekabooyar # - office_macro # - final_rule |