Snort Sysconfig File

1. # /etc/sysconfig/snort
2. # $Id$
3.  
4. # All of these options with the exception of -c, which tells Snort where
5. # the configuration file is, may be specified in that configuration file as
6. # well as the command line. Both the command line and config file options
7. # are listed here for reference.
8.  
9.  
10. #### General Configuration
11.  
12. # What interface should snort listen on? [Pick only 1 of the next 3!]
13. # This is -i {interface} on the command line
14. # This is the snort.conf config interface: {interface} directive
15. INTERFACE=eth0
16. #
17. # The following two options are not directly supported on the command line
18. # or in the conf file and assume the same Snort configuration for all
19. # instances
20. #
21. # To listen on all interfaces use this:
22. #INTERFACE=ALL
23. #
24. # To listen only on given interfaces use this:
25. #INTERFACE="eth1 eth2 eth3 eth4 eth5"
26.  
27.  
28. # Where is Snort's configuration file?
29. # -c {/path/to/snort.conf}
30. CONF=/etc/snort/snort.conf
31.  
32. # What user and group should Snort drop to after starting? This user and
33. # group should have very few privileges.
34. # -u {user} -g {group}
35. # config set_uid: user
36. # config set_gid: group
37. USER=snort
38. GROUP=snort
39.  
40. # Should Snort change the order in which the rules are applied to packets.
41. # Instead of being applied in the standard Alert->Pass->Log order, this will
42. # apply them in Pass->Alert->Log order.
43. # -o
44. # config order: {actions in order}
45. # e.g. config order: log alert pass activation dynamic suspicious redalert
46. PASS_FIRST=0
47.  
48.  
49. #### Logging & Alerting
50.  
51. # NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually
52. # exclusive. Use either NO_PACKET_LOG or any/all of the other logging
53. # options. But the more logging options use you, the slower Snort will run.
54.  
55.  
56. # Where should Snort log?
57. # -l {/path/to/logdir}
58. # config logdir: {/path/to/logdir}
59. LOGDIR=/var/log/snort
60.  
61. # How should Snort alert? Valid alert modes include fast, full, none, and
62. # unsock. Fast writes alerts to the default "alert" file in a single-line,
63. # syslog style alert message. Full writes the alert to the "alert" file
64. # with the full decoded header as well as the alert message. None turns off
65. # alerting. Unsock is an experimental mode that sends the alert information
66. # out over a UNIX socket to another process that attaches to that socket.
67. # -A {alert-mode}
68. # output alert_{type}: {options}
69. #ALERTMODE=full
70.  
71. # Should Snort dump the application layer data when displaying packets in
72. # verbose or packet logging mode.
73. # -d
74. # config dump_payload
75. DUMP_APP=1
76.  
77. # Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is
78. # recommended as it provides very useful information for investigations.
79. # -b
80. # output log_tcpdump: {log name}
81. #BINARY_LOG=1
82.  
83. # Should Snort turn off packet logging? The program still generates
84. # alerts normally.
85. # -N
86. # config nolog
87. NO_PACKET_LOG=0
88.  
89. # Print out the receiving interface name in alerts.
90. # -I
91. # config alert_with_interface_name
92. PRINT_INTERFACE=0
93.  
94. # When dumping the stats, what log file should we look in
95. SYSLOG=/var/log/messages
96.  
97. # When dumping the stats, how long to wait to make sure that syslog can
98. # flush data to disk
99. SECS=5
100.  
101. # To add a BPF filter to the command line uncomment the following variable
102. # syntax corresponds to tcpdump(8)
103. #BPF="not host 192.168.1.1"
104.  
105. # To use an external BPF filter file uncomment the following variable
106. # syntax corresponds to tcpdump(8)
107. # -F {/path/to/bpf_file}
108. # config bpf_file: /path/to/bpf_file
109. #BPFFILE=/etc/snort/bpf_file