Subversion Repositories configs

Rev

Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
3 - 1 
# /etc/sysconfig/snort
2 
# $Id$
3 
 
4 
# All of these options with the exception of -c, which tells Snort where
5 
# the configuration file is, may be specified in that configuration file as
6 
# well as the command line. Both the command line and config file options
7 
# are listed here for reference.
8 
 
9 
 
10 
#### General Configuration
11 
 
12 
# What interface should snort listen on?  [Pick only 1 of the next 3!]
13 
# This is -i {interface} on the command line
14 
# This is the snort.conf config interface: {interface} directive
15 
INTERFACE=eth1
16 
#
17 
# The following two options are not directly supported on the command line
18 
# or in the conf file and assume the same Snort configuration for all
19 
# instances
20 
#
21 
# To listen on all interfaces use this:
22 
#INTERFACE=ALL
23 
#
24 
# To listen only on given interfaces use this:
25 
#INTERFACE="eth1 eth2 eth3 eth4 eth5"
26 
 
27 
 
28 
# Where is Snort's configuration file?
29 
# -c {/path/to/snort.conf}
30 
CONF=/etc/snort/snort.conf
31 
 
32 
# What user and group should Snort drop to after starting? This user and
33 
# group should have very few privileges.
34 
# -u {user} -g {group}
35 
# config set_uid: user
36 
# config set_gid: group
37 
USER=snort
38 
GROUP=snort
39 
 
40 
# Should Snort change the order in which the rules are applied to packets.
41 
# Instead of being applied in the standard Alert->Pass->Log order, this will
42 
# apply them in Pass->Alert->Log order.
43 
# -o
44 
# config order: {actions in order}
45 
# e.g. config order: log alert pass activation dynamic suspicious redalert
46 
PASS_FIRST=0
47 
 
48 
 
49 
#### Logging & Alerting
50 
 
51 
# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually
52 
# exclusive. Use either NO_PACKET_LOG or any/all of the other logging
53 
# options. But the more logging options use you, the slower Snort will run.
54 
 
55 
 
56 
# Where should Snort log?
57 
# -l {/path/to/logdir}
58 
# config logdir: {/path/to/logdir}
59 
LOGDIR=/var/log/snort
60 
 
61 
# How should Snort alert? Valid alert modes include fast, full, none, and
62 
# unsock.  Fast writes alerts to the default "alert" file in a single-line,
63 
# syslog style alert message.  Full writes the alert to the "alert" file
64 
# with the full decoded header as well as the alert message.  None turns off
65 
# alerting. Unsock is an experimental mode that sends the alert information
66 
# out over a UNIX socket to another process that attaches to that socket.
67 
# -A {alert-mode}
68 
# output alert_{type}: {options}
69 
#ALERTMODE=fast
70 
 
71 
# Should Snort dump the application layer data when displaying packets in
72 
# verbose or packet logging mode.
73 
# -d
74 
# config dump_payload
75 
DUMP_APP=0
76 
 
77 
# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is
78 
# recommended as it provides very useful information for investigations.
79 
# -b
80 
# output log_tcpdump: {log name}
81 
BINARY_LOG=0
82 
 
83 
# Should Snort turn off packet logging?  The program still generates
84 
# alerts normally.
85 
# -N
86 
# config nolog
87 
NO_PACKET_LOG=0
88 
 
89 
# Print out the receiving interface name in alerts.
90 
# -I
91 
# config alert_with_interface_name
92 
PRINT_INTERFACE=0
93 
 
94 
# When dumping the stats, what log file should we look in
95 
SYSLOG=/var/log/messages
96 
 
97 
# When dumping the stats, how long to wait to make sure that syslog can
98 
# flush data to disk
99 
SECS=5
100 
 
101 
# To add a BPF filter to the command line uncomment the following variable
102 
# syntax corresponds to tcpdump(8)
103 
#BPF="not host 192.168.1.1"
104 
 
105 
# To use an external BPF filter file uncomment the following variable
106 
# syntax corresponds to tcpdump(8)
107 
# -F {/path/to/bpf_file}
108 
# config bpf_file: /path/to/bpf_file
109 
#BPFFILE=/etc/snort/bpf_file
110