next up previous contents
Next: 2.1 Preprocessors Up: SnortTMUsers Manual 2.3.0 Previous: 1.7 More Information   Contents


2. Configuring Snort

2.0.1 Includes

The include keyword allows other rule files to be included within the rules file indicated on the Snort command line. It works much like an #include from the C programming language, reading the contents of the named file and adding the contents in the place where the include statement appears in the file.

2.0.1.1 Format

include: <include file path/name>



$\triangle$ $^!$ NOTE


\fbox{
\usebox{
\savepar
}
}

Included files will substitute any predefined variable values into their own variable references. See Section ([*]) for more information on defining and using variables in Snort rule files.


2.0.2 Variables

Variables may be defined in Snort. These are simple substitution variables set with the var keyword as shown in Figure [*].

2.0.2.1 Format

var: <name> <value>

Figure: Example of Variable Definition and Usage
\begin{figure}\begin{verbatim}var MY_NET [192.168.1.0/24,10.1.1.0/24]
alert tc...
...y -> $MY_NET any (flags:S; msg:''SYN packet'';)\end{verbatim}
\par\end{figure}

Rule variable names can be modified in several ways. You can define meta-variables using the $ operator. These can be used with the variable modifier operators ? and -, as described in the following table:

Variable Syntax Description
$var Defines a meta-variable.
$(var) Replaces with the contents of variable var.
$(var:-default) Replaces the contents of the variable var with ``default'' if var is undefined.
$(var:?message) Replaces with the contents of variable var or prints out the error message and exits.

See Figure [*] for an example of advanced variable usage in action.

Figure: Figure Advanced Variable Usage Example
\begin{figure}\begin{verbatim}var MY_NET 192.168.1.0/24
log tcp any any -> $(MY_NET:?MY_NET is undefined!) 23\end{verbatim}
\par\end{figure}

2.0.3 Config

Many configuration and command line options of Snort can be specified in the configuration file.

2.0.3.1 Format

config <directive> [: <value>]

2.0.3.2 Directives

Table: Config Directives
Command Example Description
order config order: pass alert log activation Changes the order that rules are evaluated.
alertfile config alertfile: alerts Sets the alerts output file.
classification config classification: misc-activity,Misc activity,3 See Table [*] for a list of classifications.
dump_chars_only config dump_chars_only Turns on character dumps (snort -C).
dump_payload config dump_payload Dumps application layer (snort -d).
decode_data_link config decode_data_link Decodes Layer2 headers (snort -e).
bpf_file config bpf_file: filters.bpf Specifies BPF filters (snort -F).
daemon config daemon Forks as a daemon (snort -D).
interface config interface: xl0 Sets the network interface (snort -i).
alert_with_interface_name config alert_with_interface_name Appends interface name to alert (snort -I).
logdir config logdir: /var/log/snort Sets the logdir (snort -l).
umask config umask: 022 Sets umask when running (snort -m).
pkt_count config pkt_count: 13 Exits after N packets (snort -n).
nolog config nolog Disables logging. Note: Alerts will still occur. (snort -N).
obfuscate config obfuscate Obfuscates IP Addresses (snort -O).
no_promisc config no_promisc Disables promiscuous mode (snort -p).
quiet config quiet Disables banner and status reports (snort -q).
chroot config chroot: /home/snort Chroots to specified dir (snort -t).
checksum_mode config checksum_mode : all Types of packets to calculate checksums. Values: none, noip, notcp, noicmp, noudp, ip, tcp, udp, icmp or all.
set_gid config set_gid: 30 Changes GID to specified GID (snort -g).
set_uid set_uid: snort_user Sets UID to $<$id$>$ (snort -u).
utc config utc Uses UTC instead of local time for timestamps (snort -U).
verbose config verbose Uses verbose logging to STDOUT (snort -v).
dump_payload_verbose config dump_payload_verbose Dumps raw packet starting at link layer (snort -X).
show_year config show_year Shows year in timestamps (snort -y).
stateful config stateful Sets assurance mode for stream4 (est). See the stream4 reassemble configuration [*].
min_ttl config min_ttl:30 Sets a Snort-wide minimum ttl to ignore all traffic.
disable_decode_alerts config disable_decode_alerts Turns off the alerts generated by the decode phase of Snort.
disable_tcpopt_experimental_
alerts
config disable_tcpopt_experiment
al_alerts
Turns off alerts generated by experimental TCP options.
disable_tcpopt_experimental_
alerts
config disable_tcpopt_experiment
al_alerts
Turns off alerts generated by experimental TCP options.
disable_tcpopt_obsolete_
alerts
config disable_tcpopt_obsolete_
alerts
Turns off alerts generated by obsolete TCP options.
disable_tcpopt_ttcp_alerts config disable_tcpopt_ttcp_alerts Turns off alerts generated by T/TCP options.
disable_ttcp_alerts config disable_ttcp_alerts Turns off alerts generated by T/TCP options.
disable_tcpopt_alerts config disable_tcpopt_alerts Disables option length validation alerts.
disable_ipopt_alerts config disable_ipopt_alerts Disables IP option length validation alerts.
disable_decode_drops config disable_decode_drops Disables the dropping of bad packets identified by decoder (only applicable in inline mode).
disable_tcpopt_experimental_
drops
config disable_tcpopt_experi
mental_drops
Disables the dropping of bad packets with obsolete TCP option (only applicable in inline mode).
disable_ttcp_drops disable_ttcp_drops Disables the dropping of bad packets with TCP echo option (only applicable in inline mode).
disable_tcpopt_drops config disable_tcpopt_drops Disables the dropping of bad packets with bad/truncated TCP option (only applicable in inline mode).
disable_ipopt_drops config disable_ipopt_drops Disables the dropping of bad packets with bad/truncated IP options (only applicable in inline mode).
flowbits_size config flowbits_size: 128 Specifies the maximum number of flowbit tags that can be used within a ruleset.
event_queue config event_queue: max_queue 512 log 100 order_events priority Specifies conditions about Snort's event queue. You can use the following options:
  • max_queue $<$integer$>$ (max events supported)
  • log $<$integer$>$ (number of events to log)
  • order_events [priority$\vert$content_length] (how to order events within the queue)
See Section [*] for more information and examples.
layer2resets config layer2resets: 00:06:76:DD:5F:E3 This option is only available when running in inline mode. See Section [*].
detection config detection: search-method ac no_stream_inserts max_queue_events 128 Makes changes to the detection engine. The following options can be used:
  • search-method$<$ac$\vert$mwm$\vert$lowmem$>$
  • no_stream_inserts
  • max_queue_events$<$integer$>$
asn1 config asn1:256 Specifies the maximum number of nodes to track when doing ASN1 decoding. See Section [*] for more information and examples.
snaplen config snaplen: 2048 Set the snaplength of packet, same effect as -P $<$snaplen$>$ option.
read_bin_file config read_bin_file: test_alert.pcap Specifies a pcap file to use (instead of reading from network), same effect as -r $<$tf$>$ option.
reference config reference: myref http://myurl.com/?id= Adds a new reference system to Snort.



Subsections
next up previous contents
Next: 2.1 Preprocessors Up: SnortTMUsers Manual 2.3.0 Previous: 1.7 More Information   Contents