Table:
Config Directives
Command |
Example |
Description |
order |
config order: pass alert log activation |
Changes the order that rules are evaluated. |
alertfile |
config alertfile: alerts |
Sets the alerts output file. |
classification |
config classification: misc-activity,Misc activity,3 |
See Table for a list of
classifications. |
dump_chars_only |
config dump_chars_only |
Turns on character dumps (snort -C). |
dump_payload |
config dump_payload |
Dumps application layer (snort -d). |
decode_data_link |
config decode_data_link |
Decodes Layer2 headers (snort -e). |
bpf_file |
config bpf_file: filters.bpf |
Specifies BPF filters (snort -F). |
daemon |
config daemon |
Forks as a daemon (snort -D). |
interface |
config interface: xl0 |
Sets the network interface (snort -i). |
alert_with_interface_name |
config alert_with_interface_name |
Appends interface name to alert (snort -I). |
logdir |
config logdir: /var/log/snort |
Sets the logdir (snort -l). |
umask |
config umask: 022 |
Sets umask when running (snort -m). |
pkt_count |
config pkt_count: 13 |
Exits after N packets (snort -n). |
nolog |
config nolog |
Disables logging. Note: Alerts will still occur. (snort -N). |
obfuscate |
config obfuscate |
Obfuscates IP Addresses (snort -O). |
no_promisc |
config no_promisc |
Disables promiscuous mode (snort -p). |
quiet |
config quiet |
Disables banner and status reports (snort -q). |
chroot |
config chroot: /home/snort |
Chroots to specified dir (snort -t). |
checksum_mode |
config checksum_mode : all |
Types of packets
to calculate checksums. Values: none, noip, notcp,
noicmp, noudp, ip, tcp, udp, icmp or all. |
set_gid |
config set_gid: 30 |
Changes GID to specified GID (snort -g). |
set_uid |
set_uid: snort_user |
Sets UID to id (snort -u). |
utc |
config utc |
Uses UTC instead of local time for timestamps (snort -U). |
verbose |
config verbose |
Uses verbose logging to STDOUT (snort -v). |
dump_payload_verbose |
config dump_payload_verbose |
Dumps raw packet starting at link layer (snort -X). |
show_year |
config show_year |
Shows year in timestamps (snort -y). |
stateful |
config stateful |
Sets assurance mode for stream4 (est). See the stream4 reassemble configuration . |
min_ttl |
config min_ttl:30 |
Sets a Snort-wide minimum ttl to ignore all traffic. |
disable_decode_alerts |
config disable_decode_alerts |
Turns off the alerts generated by the decode phase of Snort. |
disable_tcpopt_experimental_
alerts |
config disable_tcpopt_experiment
al_alerts |
Turns off alerts generated by experimental TCP options. |
disable_tcpopt_experimental_
alerts |
config disable_tcpopt_experiment
al_alerts |
Turns off alerts generated by experimental TCP options. |
disable_tcpopt_obsolete_
alerts |
config disable_tcpopt_obsolete_
alerts |
Turns off alerts generated by obsolete TCP options. |
disable_tcpopt_ttcp_alerts |
config disable_tcpopt_ttcp_alerts |
Turns off alerts generated by T/TCP options. |
disable_ttcp_alerts |
config disable_ttcp_alerts |
Turns off alerts generated by T/TCP options. |
disable_tcpopt_alerts |
config disable_tcpopt_alerts |
Disables option length validation alerts. |
disable_ipopt_alerts |
config disable_ipopt_alerts |
Disables IP option length validation alerts. |
disable_decode_drops |
config disable_decode_drops |
Disables the dropping of
bad packets identified by decoder (only applicable in inline mode). |
disable_tcpopt_experimental_
drops |
config disable_tcpopt_experi
mental_drops |
Disables the dropping of bad packets with obsolete TCP option
(only applicable in inline mode). |
disable_ttcp_drops |
disable_ttcp_drops |
Disables the dropping of bad packets with TCP echo option
(only applicable in inline mode). |
disable_tcpopt_drops |
config disable_tcpopt_drops |
Disables the dropping of bad packets with bad/truncated TCP
option (only applicable in inline mode). |
disable_ipopt_drops |
config disable_ipopt_drops |
Disables the dropping of bad packets with bad/truncated IP
options (only applicable in inline mode). |
flowbits_size |
config flowbits_size: 128 |
Specifies the maximum number of flowbit tags that can be used within
a ruleset. |
event_queue |
config event_queue: max_queue 512 log 100 order_events priority |
Specifies conditions about Snort's event queue. You can use the following options:
- max_queue
integer (max events supported)
- log
integer (number of events to log)
- order_events [priority
content_length] (how to order events within the queue)
See Section for more information and examples. |
layer2resets |
config layer2resets: 00:06:76:DD:5F:E3 |
This option is only available when running in inline mode. See Section . |
detection |
config detection: search-method ac no_stream_inserts max_queue_events 128 |
Makes changes to the detection engine.
The following options can be used:
- search-method
ac mwm lowmem
- no_stream_inserts
- max_queue_events
integer
|
asn1 |
config asn1:256 |
Specifies the maximum number of nodes to
track when doing ASN1 decoding. See Section for more information and examples. |
snaplen |
config snaplen: 2048 |
Set the snaplength of packet, same effect as
-P snaplen option. |
read_bin_file |
config read_bin_file: test_alert.pcap |
Specifies a pcap file to use
(instead of reading from network),
same effect as -r tf option. |
reference |
config reference: myref http://myurl.com/?id= |
Adds a new reference system to Snort. |