1 |
# /etc/sysconfig/snort |
2 |
# $Id: snort.sysconfig,v 1.3 2003/12/12 02:05:51 cazz Exp $ |
3 |
|
4 |
# All of these options with the exception of -c, which tells Snort where |
5 |
# the configuration file is, may be specified in that configuration file as |
6 |
# well as the command line. Both the command line and config file options |
7 |
# are listed here for reference. |
8 |
|
9 |
|
10 |
#### General Configuration |
11 |
|
12 |
# What interface should snort listen on? |
13 |
# This is -i {interface} on the command line |
14 |
# This is the snort.conf config interface: {interface} directive |
15 |
INTERFACE=eth0 |
16 |
|
17 |
# To listen on all interfaces use this instead: |
18 |
#INTERFACE=ALL |
19 |
|
20 |
# Where is Snort's configuration file? |
21 |
# -c {/path/to/snort.conf} |
22 |
CONF=/etc/snort/snort.conf |
23 |
|
24 |
# What user and group should Snort drop to after starting? This user and |
25 |
# group should have very few priviledges. |
26 |
# -u {user} -g {group} |
27 |
# config set_uid: user |
28 |
# config set_gid: group |
29 |
USER=snort |
30 |
GROUP=snort |
31 |
|
32 |
# Should Snort change the order in which the rules are applied to packets. |
33 |
# Instead of being applied in the standard Alert->Pass->Log order, this will |
34 |
# apply them in Pass->Alert->Log order. |
35 |
# -o |
36 |
# config order: {actions in order} |
37 |
# e.g. config order: log alert pass activation dynamic suspicious redalert |
38 |
PASS_FIRST=0 |
39 |
|
40 |
|
41 |
#### Logging & Alerting |
42 |
|
43 |
# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mututally |
44 |
# exclusive. Use either NO_PACKET_LOG or any/all of the other logging |
45 |
# options. But the more logging options use you, the slower Snort will run. |
46 |
|
47 |
|
48 |
# Where should Snort log? |
49 |
# -l {/path/to/logdir} |
50 |
# config logdir: {/path/to/logdir} |
51 |
LOGDIR=/var/log/snort |
52 |
|
53 |
# How should Snort alert? Valid alert modes include fast, full, none, and |
54 |
# unsock. Fast writes alerts to the default "alert" file in a single-line, |
55 |
# syslog style alert message. Full writes the alert to the "alert" file |
56 |
# with the full decoded header as well as the alert message. None turns off |
57 |
# alerting. Unsock is an experimental mode that sends the alert information |
58 |
# out over a UNIX socket to another process that attaches to that socket. |
59 |
# -A {alert-mode} |
60 |
# output alert_{type}: {options} |
61 |
ALERTMODE=fast |
62 |
|
63 |
# Should Snort dump the application layer data when displaying packets in |
64 |
# verbose or packet logging mode. |
65 |
# -d |
66 |
# config dump_payload |
67 |
DUMP_APP=1 |
68 |
|
69 |
# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is |
70 |
# recommended as it provides very useful information for investigations. |
71 |
# -b |
72 |
# output log_tcpdump: {log name} |
73 |
BINARY_LOG=1 |
74 |
|
75 |
# Should Snort turn off packet logging? The program still generates |
76 |
# alerts normally. |
77 |
# -N |
78 |
# config nolog |
79 |
NO_PACKET_LOG=0 |
80 |
|
81 |
# Print out the receiving interface name in alerts. |
82 |
# -I |
83 |
# config alert_with_interface_name |
84 |
PRINT_INTERFACE=0 |
85 |
|