Search Site

Search Rules

Account

email
password

not registered?

can't login?

user preferences

2. Configuring Snort

2.0.1 Includes

The include keyword allows other rule files to be included within the rules file indicated on the Snort command line. It works much like an #include from the C programming language, reading the contents of the named file and adding the contents in the place where the include statement appears in the file.

2.0.1.1 Format

include: <include file path/name>

Note:   Note that there is no semicolon at the end of this line.

Included files will substitute any predefined variable values into their own variable references. See Section (2.0.2) for more information on defining and using variables in Snort rule files.

2.0.2 Variables

Variables may be defined in Snort. These are simple substitution variables set with the var keyword as shown in Figure 2.1.

2.0.2.1 Format

var: <name> <value>

Figure 2.1: Example of Variable Definition and Usage

Rule variable names can be modified in several ways. You can define meta-variables using the $ operator. These can be used with the variable modifier operators ? and -, as described in the following table:

Variable Syntax	Description
$var	Defines a meta-variable.
$(var)	Replaces with the contents of variable var.
$(var:-default)	Replaces the contents of the variable var with ``default'' if var is undefined.
$(var:?message)	Replaces with the contents of variable var or prints out the error message and exits.

See Figure 2.2 for an example of advanced variable usage in action.

Figure 2.2: Figure Advanced Variable Usage Example

2.0.3 Config

Many configuration and command line options of Snort can be specified in the configuration file.

2.0.3.1 Format

config <directive> [: <value>]

2.0.3.2 Directives

Table 2.1: Config Directives

Command	Example	Description
order	config order: pass alert log activation	Changes the order that rules are evaluated.
alertfile	config alertfile: alerts	Sets the alerts output file.
classification	config classification: misc-activity,Misc activity,3	See Table 3.2 for a list of classifications.
dump_chars_only	config dump_chars_only	Turns on character dumps (snort -C).
dump_payload	config dump_payload	Dumps application layer (snort -d).
decode_data_link	config decode_data_link	Decodes Layer2 headers (snort -e).
bpf_file	config bpf_file: filters.bpf	Specifies BPF filters (snort -F).
daemon	config daemon	Forks as a daemon (snort -D).
interface	config interface: xl0	Sets the network interface (snort -i).
alert_with_interface_name	config alert_with_interface_name	Appends interface name to alert (snort -I).
logdir	config logdir: /var/log/snort	Sets the logdir (snort -l).
umask	config umask: 022	Sets umask when running (snort -m).
pkt_count	config pkt_count: 13	Exits after N packets (snort -n).
nolog	config nolog	Disables logging. Note: Alerts will still occur. (snort -N).
obfuscate	config obfuscate	Obfuscates IP Addresses (snort -O).
no_promisc	config no_promisc	Disables promiscuous mode (snort -p).
quiet	config quiet	Disables banner and status reports (snort -q).
chroot	config chroot: /home/snort	Chroots to specified dir (snort -t).
checksum_mode	config checksum_mode : all	Types of packets to calculate checksums. Values: none, noip, notcp, noicmp, noudp, ip, tcp, udp, icmp or all.
set_gid	config set_gid: 30	Changes GID to specified GID (snort -g).
set_uid	set_uid: snort_user	Sets UID to $<$id$>$ (snort -u).
utc	config utc	Uses UTC instead of local time for timestamps (snort -U).
verbose	config verbose	Uses verbose logging to STDOUT (snort -v).
dump_payload_verbose	config dump_payload_verbose	Dumps raw packet starting at link layer (snort -X).
show_year	config show_year	Shows year in timestamps (snort -y).
stateful	config stateful	Sets assurance mode for stream4 (est). See the stream4 reassemble configuration 2.3.
min_ttl	config min_ttl:30	Sets a Snort-wide minimum ttl to ignore all traffic.
disable_decode_alerts	config disable_decode_alerts	Turns off the alerts generated by the decode phase of Snort.
disable_tcpopt_experimental_ alerts	config disable_tcpopt_experiment al_alerts	Turns off alerts generated by experimental TCP options.
disable_tcpopt_experimental_ alerts	config disable_tcpopt_experiment al_alerts	Turns off alerts generated by experimental TCP options.
disable_tcpopt_obsolete_ alerts	config disable_tcpopt_obsolete_ alerts	Turns off alerts generated by obsolete TCP options.
disable_tcpopt_ttcp_alerts	config disable_tcpopt_ttcp_alerts	Turns off alerts generated by T/TCP options.
disable_ttcp_alerts	config disable_ttcp_alerts	Turns off alerts generated by T/TCP options.
disable_tcpopt_alerts	config disable_tcpopt_alerts	Disables option length validation alerts.
disable_ipopt_alerts	config disable_ipopt_alerts	Disables IP option length validation alerts.
disable_decode_drops	config disable_decode_drops	Disables the dropping of bad packets identified by decoder (only applicable in inline mode).
disable_tcpopt_experimental_ drops	config disable_tcpopt_experi mental_drops	Disables the dropping of bad packets with obsolete TCP option (only applicable in inline mode).
disable_ttcp_drops	disable_ttcp_drops	Disables the dropping of bad packets with TCP echo option (only applicable in inline mode).
disable_tcpopt_drops	config disable_tcpopt_drops	Disables the dropping of bad packets with bad/truncated TCP option (only applicable in inline mode).
disable_ipopt_drops	config disable_ipopt_drops	Disables the dropping of bad packets with bad/truncated IP options (only applicable in inline mode).
flowbits_size	config flowbits_size: 128	Specifies the maximum number of flowbit tags that can be used within a ruleset.
event_queue	config event_queue: max_queue 512 log 100 order_events priority	Specifies conditions about Snort's event queue. You can use the following options: max_queue $<$integer$>$ (max events supported) log $<$integer$>$ (number of events to log) order_events [priority$\vert$content_length] (how to order events within the queue) See Section 3.10 for more information and examples.
layer2resets	config layer2resets: 00:06:76:DD:5F:E3	This option is only available when running in inline mode. See Section 1.5.
detection	config detection: search-method ac no_stream_inserts max_queue_events 128	Makes changes to the detection engine. The following options can be used: search-method$<$ac$\vert$mwm$\vert$lowmem$>$ no_stream_inserts max_queue_events$<$integer$>$
asn1	config asn1:256	Specifies the maximum number of nodes to track when doing ASN1 decoding. See Section 2.1.12 for more information and examples.
snaplen	config snaplen: 2048	Set the snaplength of packet, same effect as -P $<$snaplen$>$ option.
read_bin_file	config read_bin_file: test_alert.pcap	Specifies a pcap file to use (instead of reading from network), same effect as -r $<$tf$>$ option.
reference	config reference: myref http://myurl.com/?id=	Adds a new reference system to Snort.
ignore_ports	config ignore_ports: udp 1:17 53	Specifies ports to ignore (useful for ignoring noisy NFS traffic). Specify the protocol (tcp, udp, ip, or icmp), followed by a list of ports. Port ranges are supported.

site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.