current/SOURCES/snort.sysconfig

# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.3 2003/12/12 02:05:51 cazz Exp $

# All of these options with the exception of -c, which tells Snort where
# the configuration file is, may be specified in that configuration file as
# well as the command line. Both the command line and config file options
# are listed here for reference.


#### General Configuration

# What interface should snort listen on?
# This is -i {interface} on the command line
# This is the snort.conf config interface: {interface} directive
INTERFACE=eth0

# To listen on all interfaces use this instead:
#INTERFACE=ALL

# Where is Snort's configuration file?
# -c {/path/to/snort.conf}
CONF=/etc/snort/snort.conf

# What user and group should Snort drop to after starting? This user and
# group should have very few priviledges.
# -u {user} -g {group}
# config set_uid: user
# config set_gid: group
USER=snort
GROUP=snort

# Should Snort change the order in which the rules are applied to packets.
# Instead of being applied in the standard Alert->Pass->Log order, this will
# apply them in Pass->Alert->Log order.
# -o
# config order: {actions in order}
# e.g. config order: log alert pass activation dynamic suspicious redalert
PASS_FIRST=0


#### Logging & Alerting

# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mututally
# exclusive. Use either NO_PACKET_LOG or any/all of the other logging
# options. But the more logging options use you, the slower Snort will run.


# Where should Snort log?
# -l {/path/to/logdir}
# config logdir: {/path/to/logdir}
LOGDIR=/var/log/snort

# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock.  Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message.  Full writes the alert to the "alert"  file
# with the full decoded header as well as the alert message.  None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
ALERTMODE=fast

# Should Snort dump the application layer data when displaying packets in
# verbose or packet logging mode.
# -d
# config dump_payload
DUMP_APP=1

# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is
# recommended as it provides very useful information for investigations.
# -b
# output log_tcpdump: {log name}
BINARY_LOG=1

# Should Snort turn off packet logging?  The program still generates
# alerts normally.
# -N
# config nolog
NO_PACKET_LOG=0

# Print out the receiving interface name in alerts.
# -I
# config alert_with_interface_name
PRINT_INTERFACE=0

1	# /etc/sysconfig/snort
2	# $Id: snort.sysconfig,v 1.3 2003/12/12 02:05:51 cazz Exp $
3
4	# All of these options with the exception of -c, which tells Snort where
5	# the configuration file is, may be specified in that configuration file as
6	# well as the command line. Both the command line and config file options
7	# are listed here for reference.
8
9
10	#### General Configuration
11
12	# What interface should snort listen on?
13	# This is -i {interface} on the command line
14	# This is the snort.conf config interface: {interface} directive
15	INTERFACE=eth0
16
17	# To listen on all interfaces use this instead:
18	#INTERFACE=ALL
19
20	# Where is Snort's configuration file?
21	# -c {/path/to/snort.conf}
22	CONF=/etc/snort/snort.conf
23
24	# What user and group should Snort drop to after starting? This user and
25	# group should have very few priviledges.
26	# -u {user} -g {group}
27	# config set_uid: user
28	# config set_gid: group
29	USER=snort
30	GROUP=snort
31
32	# Should Snort change the order in which the rules are applied to packets.
33	# Instead of being applied in the standard Alert->Pass->Log order, this will
34	# apply them in Pass->Alert->Log order.
35	# -o
36	# config order: {actions in order}
37	# e.g. config order: log alert pass activation dynamic suspicious redalert
38	PASS_FIRST=0
39
40
41	#### Logging & Alerting
42
43	# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mututally
44	# exclusive. Use either NO_PACKET_LOG or any/all of the other logging
45	# options. But the more logging options use you, the slower Snort will run.
46
47
48	# Where should Snort log?
49	# -l {/path/to/logdir}
50	# config logdir: {/path/to/logdir}
51	LOGDIR=/var/log/snort
52
53	# How should Snort alert? Valid alert modes include fast, full, none, and
54	# unsock. Fast writes alerts to the default "alert" file in a single-line,
55	# syslog style alert message. Full writes the alert to the "alert" file
56	# with the full decoded header as well as the alert message. None turns off
57	# alerting. Unsock is an experimental mode that sends the alert information
58	# out over a UNIX socket to another process that attaches to that socket.
59	# -A {alert-mode}
60	# output alert_{type}: {options}
61	ALERTMODE=fast
62
63	# Should Snort dump the application layer data when displaying packets in
64	# verbose or packet logging mode.
65	# -d
66	# config dump_payload
67	DUMP_APP=1
68
69	# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is
70	# recommended as it provides very useful information for investigations.
71	# -b
72	# output log_tcpdump: {log name}
73	BINARY_LOG=1
74
75	# Should Snort turn off packet logging? The program still generates
76	# alerts normally.
77	# -N
78	# config nolog
79	NO_PACKET_LOG=0
80
81	# Print out the receiving interface name in alerts.
82	# -I
83	# config alert_with_interface_name
84	PRINT_INTERFACE=0
85