ids_rule_facts

Tech Preview

This is an Ansible role designed to gather information about rules and signatures from various Intrusion Detection Systems (IDS). These systems are referred to as "providers" in the role and are recognized as facts.

Currently supported provider:

• snort

Requirements

You need Red Hat Enterprise Linux 7.x or a similar Linux distribution, such as CentOS 7 or Scientific Linux 7.

Role Variables

• ids_provider - This specifies which IDS provider to use (Default Value: "snort").

snort

For the Snort provider, set the ids_provider variable like this:

vars:
  ids_provider: snort

snort variables

• ids_provider - Default value: "snort"
• ids_rule_facts_path - The file or directory where the rules are stored for collecting facts. Default value: /etc/snort/rules/
• ids_rule_facts_filter - A search string filter. Default value: None

Example Playbook

---
- name: Test ids_rule_facts
  hosts: idshosts
  vars:
    ids_provider: "snort"
    ids_rule_facts_filter: 'content:"|21 4A 6B B9 B2 3D 76 D5 D8 79 DB 08 48 65 41 1F 9E 25 13 4E CB C2 A4 F5 95 ED 54 66 B8 22 75 FE|'
  tasks:
    - name: Import ids_rule_facts
      import_role:
        name: 'ids_rule_facts'

    - debug:
        var: ansible_facts.ids_rules

License

GPLv3

Author Information

Ansible Security Automation Team