-
Notifications
You must be signed in to change notification settings - Fork 12
/
rudra.conf
85 lines (67 loc) · 2.65 KB
/
rudra.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# update config.py to include options with correct datatype mappings
[INPUT]
# temporary blacklisting of certain files
# these files take extremely long to scan, overnight or may be more
# 4809eb53debf0923f50d3ba05c05b5b149f3d6f1c65d43871044522f80ea3241 corkami/65535sects.exe
# 30f30d6edcff29e6a5573091ad0bdbb13e94c6f95fa417fa52807a942ad61667 corkami/maxsecW7.exe
# 256c563941276058170796229d1b2a37f78a97b9d01115d542e2a38460b9160d corkami/maxsec_lowaligW7.exe
blacklistsha256 = 4809eb53debf0923f50d3ba05c05b5b149f3d6f1c65d43871044522f80ea3241, 30f30d6edcff29e6a5573091ad0bdbb13e94c6f95fa417fa52807a942ad61667, 256c563941276058170796229d1b2a37f78a97b9d01115d542e2a38460b9160d, 0176f026e1f2ff03079713ee7c6f325791c99ed250e26555e7cedfb2435a4610
supportedmimetypes = application/x-dosexec,application/vnd.tcpdump.pcap
inputfiles = data/binary/crafted/corkami/tiny.exe
langid = data/rules/json/langid-codepage.json
sigapi = data/rules/json/api.json
sigmutexes = data/rules/mutexes/2014-12-24_santas_bag_of_mutants.txt
sigpdbpaths = data/rules/pdbpaths/PDB_MALWARE - PDB.csv
sigregexantivm = data/rules/json/regex-antivm.json
sigregex = data/rules/json/regex.json
sigknownsections = data/rules/json/known-sections.json
sigpackersections = data/rules/json/packer-sections.json
siguserdb = data/rules/userdb/gcode.userdb
sigyara = data/rules/yara/index.yar
sigmandiant_hashfile = data/rules/mandiant/m-whitelist-1.0.txt
sigmandiant_bloomfilterfile = data/rules/mandiant/m-whitelist-1.0.txt.bloomfilter
signsrl_hashfile = data/rules/nsrl/mini/NSRLFile-MD5.txt
signsrl_bloomfilterfile = data/rules/nsrl/mini/NSRLFile-MD5.txt.bloomfilter
bpf = tcp or udp
htmltemplatepcap = pcap.tmpl
[OUTPUT]
savereport = true
savehtmlreport = true
reportsdir = reports
reportsdirstruct = true
reportsdirstructlevel = 0
enablefilevisualization = true
enableentropycompressionstats = true
enablegeoloc = true
enablereversedns = true
enablewhoislookup = true
enablegooglemaps = true
# protocol identification cannot be disabled
# but decoding can be for identified protocols
enableprotodecode = true
[ANALYSIS]
enablepcap = true
pcapengine = libnids
inspectudpdepth = 2048
inspectctsdepth = 2048
inspectstcdepth = 2048
enablepe = true
enableyara = true
yaramatchtimeout = 60
enableshellcode = true
enableregex = true
enableheuristics = true
enableplugins = true
enableonlinelookup = true
[MISC]
version = 0.2
nobanner = true
verbose = true
timezone = Asia/Kolkata
truncatelength = 128
enablebufhexdump = true
htmlhexdumpbytes = 1024
interactive = false
# if >0 this will generate entropy/byte-freq graph and filevis
# only if filesize is less than the below byte value (default: 6291456 = 6MB)
statsfilesizelimit = 6291456