include "filters.conf";

options global {
  debug_level = 5;
  stop_chain = 1;
  default_output = textfile;
  default_format = string;
};

# Filters match OR. e.g., host_filter will match if hostname OR ip_address is
# found
filter host_filter {
  hostname = { "basm.cerias.purdue.edu", "earthsea.cerias.purdue.edu" };
  ip_address = "128.46.101.2";
};
filter user_filter {
  username = "bmatheny";
  uid = 500;
  gid = 250;
};
filter packet_filter1 {
  string = "4510 0028 0000 4000 4006 3cbe 7f00 0001";
};

# Inputs
input textfile {
  library = "textfile";
  format_id = string;
  filename = "/tmp/bar.log";
  polltime = 0;
};
input syslog {
  library = "pipe";
  format_id = syslog;
  filename = "/dev/log";
}
input snort_sensor_1 {
  library = "snort";
  format_id = xml;
  client_port = 500; # port snort will send traffic to us on
  private_key = "/etc/snort/snort.key"; # private key for data decryption
};

# Output expressions
output socket {
  library = "socket";
  format_id = xml;
  filename = "/tmp/ssh.socket";
  interval = 0;
};
output network {
  library = "network";
  format_id = any;
  server_address = "10.10.10.100";
  server_port = 5656;
  interval = 0;
};

# Format expressions. translates specifies what we can convert from->to and
# the cost of that conversion
format string {
  library = "string";
  translates = { xml = 1 }; # from xml->string
};
format xml {
  library = "xml";
  translates = { string = -1 , syslog = -1 }; # string->xml, syslog->xml
};
format syslog {
  library = "syslog";
  translates = { string = -1 , xml = -1 }; # string->syslog, xml->syslog
};
format any {
  library = "any";
  translates = { }; # Stub
};

# log chain expressions
log chain1 {
  { host_filter && user_filter },
  { syslog },
  { network },
  { xml },
  { 0 }
};
log chain2 {
  { packet_filter1 || host_filter },
  { snort_sensor_1 },
  { network },
  { xml },
  { 1 }
};
log chain3 {
  { * }, 
  { * },
  { textfile },
  { string },
  { 1 }
};