current/SOURCES/snort.sysconfig

# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.3 2003/12/12 02:05:51 cazz Exp $

# All of these options with the exception of -c, which tells Snort where
# the configuration file is, may be specified in that configuration file as
# well as the command line. Both the command line and config file options
# are listed here for reference.


#### General Configuration

# What interface should snort listen on?
# This is -i {interface} on the command line
# This is the snort.conf config interface: {interface} directive
INTERFACE=eth0

# To listen on all interfaces use this instead:
#INTERFACE=ALL

# Where is Snort's configuration file?
# -c {/path/to/snort.conf}
CONF=/etc/snort/snort.conf

# What user and group should Snort drop to after starting? This user and
# group should have very few priviledges.
# -u {user} -g {group}
# config set_uid: user
# config set_gid: group
USER=snort
GROUP=snort

# Should Snort change the order in which the rules are applied to packets.
# Instead of being applied in the standard Alert->Pass->Log order, this will
# apply them in Pass->Alert->Log order.
# -o
# config order: {actions in order}
# e.g. config order: log alert pass activation dynamic suspicious redalert
PASS_FIRST=0


#### Logging & Alerting

# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mututally
# exclusive. Use either NO_PACKET_LOG or any/all of the other logging
# options. But the more logging options use you, the slower Snort will run.


# Where should Snort log?
# -l {/path/to/logdir}
# config logdir: {/path/to/logdir}
LOGDIR=/var/log/snort

# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock.  Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message.  Full writes the alert to the "alert"  file
# with the full decoded header as well as the alert message.  None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
ALERTMODE=fast

# Should Snort dump the application layer data when displaying packets in
# verbose or packet logging mode.
# -d
# config dump_payload
DUMP_APP=1

# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is
# recommended as it provides very useful information for investigations.
# -b
# output log_tcpdump: {log name}
BINARY_LOG=1

# Should Snort turn off packet logging?  The program still generates
# alerts normally.
# -N
# config nolog
NO_PACKET_LOG=0

# Print out the receiving interface name in alerts.
# -I
# config alert_with_interface_name
PRINT_INTERFACE=0

1	dlucio	30270	# /etc/sysconfig/snort
2			# $Id: snort.sysconfig,v 1.3 2003/12/12 02:05:51 cazz Exp $
3
4			# All of these options with the exception of -c, which tells Snort where
5			# the configuration file is, may be specified in that configuration file as
6			# well as the command line. Both the command line and config file options
7			# are listed here for reference.
8
9
10			#### General Configuration
11
12			# What interface should snort listen on?
13			# This is -i {interface} on the command line
14			# This is the snort.conf config interface: {interface} directive
15			INTERFACE=eth0
16
17			# To listen on all interfaces use this instead:
18			#INTERFACE=ALL
19
20			# Where is Snort's configuration file?
21			# -c {/path/to/snort.conf}
22			CONF=/etc/snort/snort.conf
23
24			# What user and group should Snort drop to after starting? This user and
25			# group should have very few priviledges.
26			# -u {user} -g {group}
27			# config set_uid: user
28			# config set_gid: group
29			USER=snort
30			GROUP=snort
31
32			# Should Snort change the order in which the rules are applied to packets.
33			# Instead of being applied in the standard Alert->Pass->Log order, this will
34			# apply them in Pass->Alert->Log order.
35			# -o
36			# config order: {actions in order}
37			# e.g. config order: log alert pass activation dynamic suspicious redalert
38			PASS_FIRST=0
39
40
41			#### Logging & Alerting
42
43			# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mututally
44			# exclusive. Use either NO_PACKET_LOG or any/all of the other logging
45			# options. But the more logging options use you, the slower Snort will run.
46
47
48			# Where should Snort log?
49			# -l {/path/to/logdir}
50			# config logdir: {/path/to/logdir}
51			LOGDIR=/var/log/snort
52
53			# How should Snort alert? Valid alert modes include fast, full, none, and
54			# unsock. Fast writes alerts to the default "alert" file in a single-line,
55			# syslog style alert message. Full writes the alert to the "alert" file
56			# with the full decoded header as well as the alert message. None turns off
57			# alerting. Unsock is an experimental mode that sends the alert information
58			# out over a UNIX socket to another process that attaches to that socket.
59			# -A {alert-mode}
60			# output alert_{type}: {options}
61			ALERTMODE=fast
62
63			# Should Snort dump the application layer data when displaying packets in
64			# verbose or packet logging mode.
65			# -d
66			# config dump_payload
67			DUMP_APP=1
68
69			# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is
70			# recommended as it provides very useful information for investigations.
71			# -b
72			# output log_tcpdump: {log name}
73			BINARY_LOG=1
74
75			# Should Snort turn off packet logging? The program still generates
76			# alerts normally.
77			# -N
78			# config nolog
79			NO_PACKET_LOG=0
80
81			# Print out the receiving interface name in alerts.
82			# -I
83			# config alert_with_interface_name
84			PRINT_INTERFACE=0
85