1 |
dlucio |
30270 |
# /etc/sysconfig/snort |
2 |
|
|
# $Id: snort.sysconfig,v 1.3 2003/12/12 02:05:51 cazz Exp $ |
3 |
|
|
|
4 |
|
|
# All of these options with the exception of -c, which tells Snort where |
5 |
|
|
# the configuration file is, may be specified in that configuration file as |
6 |
|
|
# well as the command line. Both the command line and config file options |
7 |
|
|
# are listed here for reference. |
8 |
|
|
|
9 |
|
|
|
10 |
|
|
#### General Configuration |
11 |
|
|
|
12 |
|
|
# What interface should snort listen on? |
13 |
|
|
# This is -i {interface} on the command line |
14 |
|
|
# This is the snort.conf config interface: {interface} directive |
15 |
|
|
INTERFACE=eth0 |
16 |
|
|
|
17 |
|
|
# To listen on all interfaces use this instead: |
18 |
|
|
#INTERFACE=ALL |
19 |
|
|
|
20 |
|
|
# Where is Snort's configuration file? |
21 |
|
|
# -c {/path/to/snort.conf} |
22 |
|
|
CONF=/etc/snort/snort.conf |
23 |
|
|
|
24 |
|
|
# What user and group should Snort drop to after starting? This user and |
25 |
|
|
# group should have very few priviledges. |
26 |
|
|
# -u {user} -g {group} |
27 |
|
|
# config set_uid: user |
28 |
|
|
# config set_gid: group |
29 |
|
|
USER=snort |
30 |
|
|
GROUP=snort |
31 |
|
|
|
32 |
|
|
# Should Snort change the order in which the rules are applied to packets. |
33 |
|
|
# Instead of being applied in the standard Alert->Pass->Log order, this will |
34 |
|
|
# apply them in Pass->Alert->Log order. |
35 |
|
|
# -o |
36 |
|
|
# config order: {actions in order} |
37 |
|
|
# e.g. config order: log alert pass activation dynamic suspicious redalert |
38 |
|
|
PASS_FIRST=0 |
39 |
|
|
|
40 |
|
|
|
41 |
|
|
#### Logging & Alerting |
42 |
|
|
|
43 |
|
|
# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mututally |
44 |
|
|
# exclusive. Use either NO_PACKET_LOG or any/all of the other logging |
45 |
|
|
# options. But the more logging options use you, the slower Snort will run. |
46 |
|
|
|
47 |
|
|
|
48 |
|
|
# Where should Snort log? |
49 |
|
|
# -l {/path/to/logdir} |
50 |
|
|
# config logdir: {/path/to/logdir} |
51 |
|
|
LOGDIR=/var/log/snort |
52 |
|
|
|
53 |
|
|
# How should Snort alert? Valid alert modes include fast, full, none, and |
54 |
|
|
# unsock. Fast writes alerts to the default "alert" file in a single-line, |
55 |
|
|
# syslog style alert message. Full writes the alert to the "alert" file |
56 |
|
|
# with the full decoded header as well as the alert message. None turns off |
57 |
|
|
# alerting. Unsock is an experimental mode that sends the alert information |
58 |
|
|
# out over a UNIX socket to another process that attaches to that socket. |
59 |
|
|
# -A {alert-mode} |
60 |
|
|
# output alert_{type}: {options} |
61 |
|
|
ALERTMODE=fast |
62 |
|
|
|
63 |
|
|
# Should Snort dump the application layer data when displaying packets in |
64 |
|
|
# verbose or packet logging mode. |
65 |
|
|
# -d |
66 |
|
|
# config dump_payload |
67 |
|
|
DUMP_APP=1 |
68 |
|
|
|
69 |
|
|
# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is |
70 |
|
|
# recommended as it provides very useful information for investigations. |
71 |
|
|
# -b |
72 |
|
|
# output log_tcpdump: {log name} |
73 |
|
|
BINARY_LOG=1 |
74 |
|
|
|
75 |
|
|
# Should Snort turn off packet logging? The program still generates |
76 |
|
|
# alerts normally. |
77 |
|
|
# -N |
78 |
|
|
# config nolog |
79 |
|
|
NO_PACKET_LOG=0 |
80 |
|
|
|
81 |
|
|
# Print out the receiving interface name in alerts. |
82 |
|
|
# -I |
83 |
|
|
# config alert_with_interface_name |
84 |
|
|
PRINT_INTERFACE=0 |
85 |
|
|
|