Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Preprocessors Up: Config Previous: Format   Contents

Directives

Table 2.1: Config Directives
Command Example Description
order config order: pass alert log activation Changes the order that rules are evaluated.
alertfile config alertfile: alerts Sets the alerts output file.
classification config classification: misc-activity,Misc activity,3 See Table 3.2 for a list of classifications.
dump_chars_only config dump_chars_only Turns on character dumps (snort -C).
dump_payload config dump_payload Dumps application layer (snort -d).
decode_data_link config decode_data_link Decodes Layer2 headers (snort -e).
bpf_file config bpf_file: filters.bpf Specifies BPF filters (snort -F).
daemon config daemon Forks as a daemon (snort -D).
interface config interface: xl0 Sets the network interface (snort -i).
alert_with_interface_name config alert_with_interface_name Appends interface name to alert (snort -I).
logdir config logdir: /var/log/snort Sets the logdir (snort -l).
umask config umask: 022 Sets umask when running (snort -m).
pkt_count config pkt_count: 13 Exits after N packets (snort -n).
nolog config nolog Disables logging. Note: Alerts will still occur. (snort -N).
obfuscate config obfuscate Obfuscates IP Addresses (snort -O).
no_promisc config no_promisc Disables promiscuous mode (snort -p).
quiet config quiet Disables banner and status reports (snort -q).
chroot config chroot: /home/snort Chroots to specified dir (snort -t).
checksum_mode config checksum_mode : all Types of packets to calculate checksums. Values: none, noip, notcp, noicmp, noudp, ip, tcp, udp, icmp or all.
checksum_drop config checksum_drop : all Types of packets to drop if invalid checksums. Values: none, noip, notcp, noicmp, noudp, ip, tcp, udp, icmp or all (only applicable in inline mode and for packets checked per checksum_mode config option).
set_gid config set_gid: 30 Changes GID to specified GID (snort -g).
set_uid set_uid: snort_user Sets UID to $<$id$>$ (snort -u).
utc config utc Uses UTC instead of local time for timestamps (snort -U).
verbose config verbose Uses verbose logging to STDOUT (snort -v).
dump_payload_verbose config dump_payload_verbose Dumps raw packet starting at link layer (snort -X).
show_year config show_year Shows year in timestamps (snort -y).
stateful config stateful Sets assurance mode for stream4 (est). See the stream4_reassemble configuration in table 2.3.
min_ttl config min_ttl:30 Sets a Snort-wide minimum ttl to ignore all traffic.
disable_decode_alerts config disable_decode_alerts Turns off the alerts generated by the decode phase of Snort.
disable_tcpopt_experimental_
alerts		 config disable_tcpopt_experiment
al_alerts		 Turns off alerts generated by experimental TCP options.
disable_tcpopt_obsolete_
alerts		 config disable_tcpopt_obsole
te_alerts		 Turns off alerts generated by obsolete TCP options.
disable_tcpopt_ttcp_alerts config disable_tcpopt_ttcp_alerts Turns off alerts generated by T/TCP options.
disable_ttcp_alerts config disable_ttcp_alerts Turns off alerts generated by T/TCP options.
disable_tcpopt_alerts config disable_tcpopt_alerts Disables option length validation alerts.
disable_ipopt_alerts config disable_ipopt_alerts Disables IP option length validation alerts.
enable_decode_drops config enable_decode_drops Enables the dropping of bad packets identified by decoder (only applicable in inline mode).
enable_tcpopt_experimental_
drops		 config enable_tcpopt_experi
mental_drops		 Enables the dropping of bad packets with experimental TCP option. (only applicable in inline mode).
enable_tcpopt_obsolete_
drops		 config enable_tcpopt_obsole
te_drops		 Enables the dropping of bad packets with obsolete TCP option. (only applicable in inline mode).
enable_tcpopt_ttcp_drops enable_tcpopt_ttcp_drops Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).
enable_tcpopt_drops config enable_tcpopt_drops Enables the dropping of bad packets with bad/truncated TCP option (only applicable in inline mode).
enable_ipopt_drops config enable_ipopt_drops Enables the dropping of bad packets with bad/truncated IP options (only applicable in inline mode).
flowbits_size config flowbits_size: 128 Specifies the maximum number of flowbit tags that can be used within a rule set.
event_queue config event_queue: max_queue 512 log 100 order_events priority Specifies conditions about Snort's event queue. You can use the following options:
  • max_queue $<$integer$>$ (max events supported)
  • log $<$integer$>$ (number of events to log)
  • order_events [priority$\vert$content_length] (how to order events within the queue)
See Section 3.10 for more information and examples.
layer2resets config layer2resets: 00:06:76:DD:5F:E3 This option is only available when running in inline mode. See Section 1.5.
detection config detection: search-method ac no_stream_inserts max_queue_events 128 Makes changes to the detection engine. The following options can be used:
  • search-method $<$ac $\vert$ ac-std $\vert$ ac-bnfa $\vert$ acs $\vert$ ac-banded $\vert$ ac-sparsebands $\vert$ lowmem $>$
    • ac Aho-Corasick Full (high memory, best performance)
    • ac-std Aho-Corasick Standard (moderate memory, high performance)
    • ac-bnfa Aho-Corasick NFA (low memory, high performance)
    • acs Aho-Corasick Sparse (small memory, moderate performance)
    • ac-banded Aho-Corasick Banded (small memory, moderate performance)
    • ac-sparsebands Aho-Corasick Sparse-Banded (small memory, high performance)
    • lowmem Low Memory Keyword Trie (small memory, low performance)
  • no_stream_inserts
  • max_queue_events$<$integer$>$
asn1 config asn1:256 Specifies the maximum number of nodes to track when doing ASN1 decoding. See Section 2.1.17 for more information and examples.
snaplen config snaplen: 2048 Set the snaplength of packet, same effect as -P $<$snaplen$>$ or -snaplen $<$snaplen$>$ options.
read_bin_file config read_bin_file: test_alert.pcap Specifies a pcap file to use (instead of reading from network), same effect as -r $<$tf$>$ option.
reference config reference: myref http://myurl.com/?id= Adds a new reference system to Snort.
ignore_ports config ignore_ports: udp 1:17 53 Specifies ports to ignore (useful for ignoring noisy NFS traffic). Specify the protocol (TCP, UDP, IP, or ICMP), followed by a list of ports. Port ranges are supported.

next up previous contents
Next: Preprocessors Up: Config Previous: Format   Contents
Steven Sturges 2007-05-11
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.