Sophie

Sophie

distrib > Mandriva > 2006.0 > x86_64 > by-pkgid > 56c5837d9d111437878acba01e4df73e > files > 3058

snort-2.3.3-2.3.20060mdk.x86_64.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<!--Converted with LaTeX2HTML 2002-2-1 (1.71)
original version by:  Nikos Drakos, CBLU, University of Leeds
* revised and updated by:  Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
  Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>2. Configuring Snort </TITLE>
<META NAME="description" CONTENT="2. Configuring Snort ">
<META NAME="keywords" CONTENT="snort_manual">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">

<LINK REL="STYLESHEET" HREF="snort_manual.css">

<LINK REL="next" HREF="node16.html">
<LINK REL="previous" HREF="node2.html">
<LINK REL="up" HREF="snort_manual.html">
<LINK REL="next" HREF="node11.html">
</HEAD>

<BODY >
<!--Navigation Panel-->
<A NAME="tex2html375"
  HREF="node11.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html371"
  HREF="snort_manual.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html365"
  HREF="node9.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html373"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html376"
  HREF="node11.html">2.1 Preprocessors</A>
<B> Up:</B> <A NAME="tex2html372"
  HREF="snort_manual.html">Snort<SUP>TM</SUP>Users Manual 2.3.3</A>
<B> Previous:</B> <A NAME="tex2html366"
  HREF="node9.html">1.7 More Information</A>
 &nbsp; <B>  <A NAME="tex2html374"
  HREF="node1.html">Contents</A></B> 
<BR>
<BR>
<!--End of Navigation Panel-->

<H1><A NAME="SECTION00300000000000000000"></A><A NAME="Configuring_Snort"></A>
<BR>
2. Configuring Snort 
</H1>

<P>

<H2><A NAME="SECTION00301000000000000000">
2.0.1 Includes</A>
</H2>

<P>
The <TT>include</TT> keyword allows other rule files to be included within the rules
file indicated on the Snort command line. It works much like an #include from
the C programming language, reading the contents of the named file and adding the contents
in the place where the include statement appears in the file.

<P>

<H3><A NAME="SECTION00301100000000000000">
2.0.1.1 Format</A>
</H3>
<PRE>
include: &lt;include file path/name&gt;
</PRE>

<P>

    <BR>
<BR><I>
         <FONT SIZE="+4"><IMG
 WIDTH="18" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img3.png"
 ALT="$\triangle$"> <FONT SIZE="+2"><IMG
 WIDTH="8" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
 SRC="img4.png"
 ALT="$^!$"></FONT></FONT> 
        <FONT SIZE="+2">NOTE</FONT>
    </I>
    
   <DIV ALIGN="CENTER">
</DIV>
<P>
<DIV ALIGN="CENTER">
<BR>
</DIV>
<P>
<DIV ALIGN="CENTER">
    <!-- MATH
 $\fbox{
        \usebox{
            \savepar
        }
    }$
 -->
<IMG
 WIDTH="714" HEIGHT="76" ALIGN="MIDDLE" BORDER="0"
 SRC="img5.png"
 ALT="\fbox{
\usebox{
\savepar
}
}">
    </DIV>
<P>
<DIV ALIGN="CENTER">
</DIV>

<P>
Included files will
substitute any predefined variable values into their own variable references.
See Section (<A HREF="#variables"><IMG  ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>) for more information on defining and
using variables in Snort rule files.

<P>

<H2><A NAME="SECTION00302000000000000000"></A><A NAME="variables"></A>
<BR>
2.0.2 Variables 
</H2>

<P>
Variables may be defined in Snort. These are simple substitution variables
set with the <TT>var</TT> keyword as shown in Figure <A HREF="#variable_definition"><IMG  ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>.

<P>

<H3><A NAME="SECTION00302100000000000000">
2.0.2.1 Format</A>
</H3>

<P>
<PRE>
var: &lt;name&gt; &lt;value&gt;
</PRE>

<P>

<DIV ALIGN="CENTER"><A NAME="variable_definition"></A><A NAME="2118"></A>
<TABLE>
<CAPTION ALIGN="BOTTOM"><STRONG>Figure:</STRONG>
Example of Variable Definition and Usage</CAPTION>
<TR><TD><IMG
 WIDTH="507" HEIGHT="34" BORDER="0"
 SRC="img6.png"
 ALT="\begin{figure}\begin{verbatim}var MY_NET [192.168.1.0/24,10.1.1.0/24]
alert tc...
...y -&gt; $MY_NET any (flags:S; msg:''SYN packet'';)\end{verbatim}
\par\end{figure}"></TD></TR>
</TABLE>
</DIV>

<P>
Rule variable names can be modified in several ways. You can define
meta-variables using the $ operator. These can be used with the variable
modifier operators <TT>?</TT>  and <TT>-</TT>, as described in the following table: 

<P>
<TABLE CELLPADDING=3 BORDER="1">
<TR><TH ALIGN="LEFT"><B>Variable Syntax</B></TH>
<TH ALIGN="LEFT" VALIGN="TOP" WIDTH=360><B>Description</B></TH>
</TR>
<TR><TD ALIGN="LEFT"><TT>$var</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=360>Defines a meta-variable.</TD>
</TR>
<TR><TD ALIGN="LEFT"><TT>$(var)</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=360>Replaces with the contents of variable <TT>var</TT>.</TD>
</TR>
<TR><TD ALIGN="LEFT"><TT>$(var:-default)</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=360>Replaces the contents of the variable <TT>var</TT> with ``default'' if 
   <TT>var</TT> is undefined.</TD>
</TR>
<TR><TD ALIGN="LEFT"><TT>$(var:?message)</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=360>Replaces with the contents of variable <TT>var</TT> or prints out the
error message and exits.</TD>
</TR>
</TABLE>

<P>
See Figure <A HREF="#advanced_variable_usage"><IMG  ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A> for an example of advanced variable usage in action.

<P>

<DIV ALIGN="CENTER"><A NAME="advanced_variable_usage"></A><A NAME="2120"></A>
<TABLE>
<CAPTION ALIGN="BOTTOM"><STRONG>Figure:</STRONG>
Figure Advanced Variable Usage Example</CAPTION>
<TR><TD><IMG
 WIDTH="442" HEIGHT="34" BORDER="0"
 SRC="img7.png"
 ALT="\begin{figure}\begin{verbatim}var MY_NET 192.168.1.0/24
log tcp any any -&gt; $(MY_NET:?MY_NET is undefined!) 23\end{verbatim}
\par\end{figure}"></TD></TR>
</TABLE>
</DIV>

<P>

<H2><A NAME="SECTION00303000000000000000">
2.0.3 Config</A>
</H2>

<P>
Many configuration and command line options of Snort can be specified
in the configuration file. 

<P>

<H3><A NAME="SECTION00303100000000000000">
2.0.3.1 Format</A>
</H3>

<P>
<DIV ALIGN="CENTER">
</DIV><PRE>
config &lt;directive&gt; [: &lt;value&gt;]
</PRE>
<DIV ALIGN="CENTER">
</DIV>

<P>

<H3><A NAME="SECTION00303200000000000000">
2.0.3.2 Directives</A>
</H3>
<DIV ALIGN="CENTER">
<A NAME="266"></A>
<TABLE CELLPADDING=3 BORDER="1">
<CAPTION><STRONG>Table:</STRONG>
Config Directives</CAPTION>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><B>Command</B></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><B>Example</B></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><B>Description</B></TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>order</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config order: pass alert log activation</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Changes the order that rules are evaluated.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>alertfile</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config alertfile: alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets the alerts output file.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>classification</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config classification: misc-activity,Misc activity,3</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>See Table <A HREF="#Snort_Default_Classifications"><IMG  ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A> for a list of
  classifications.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>dump_chars_only</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config dump_chars_only</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns on character dumps (<TT>snort -C</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>dump_payload</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config dump_payload</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Dumps application layer (<TT>snort -d</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>decode_data_link</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config decode_data_link</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Decodes Layer2 headers (<TT>snort -e</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>bpf_file</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config bpf_file: filters.bpf</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Specifies BPF filters (<TT>snort -F</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>daemon</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config daemon</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Forks as a daemon (<TT>snort -D</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>interface</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config interface: xl0</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets the network interface (<TT>snort -i</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>alert_with_interface_name</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config alert_with_interface_name</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Appends interface name to alert (<TT>snort -I</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>logdir</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config logdir: /var/log/snort</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets the logdir (<TT>snort -l</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>umask</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config umask: 022</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets umask when running (<TT>snort -m</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>pkt_count</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config pkt_count: 13</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Exits after N packets (<TT>snort -n</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>nolog</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config nolog</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables logging. Note: Alerts will still occur. (<TT>snort -N</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>obfuscate</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config obfuscate</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Obfuscates IP Addresses (<TT>snort -O</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>no_promisc</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config no_promisc</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables promiscuous mode (<TT>snort -p</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>quiet</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config quiet</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables banner and status reports (<TT>snort -q</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>chroot</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config chroot: /home/snort</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Chroots to specified dir (<TT>snort -t</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>checksum_mode</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config checksum_mode : all</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Types of packets 
to calculate checksums. Values: <TT>none</TT>, <TT>noip</TT>, <TT>notcp</TT>, 
<TT>noicmp</TT>, <TT>noudp</TT>, <TT>ip</TT>, <TT>tcp</TT>, <TT>udp</TT>, <TT>icmp</TT> or <TT>all</TT>.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>set_gid</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config set_gid: 30</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Changes GID to specified GID (<TT>snort -g</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>set_uid</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>set_uid: snort_user</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets UID to <IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img1.png"
 ALT="$&lt;$">id<IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img2.png"
 ALT="$&gt;$"> (<TT>snort -u</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>utc</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config utc</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Uses UTC instead of local time for timestamps (<TT>snort -U</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>verbose</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config verbose</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Uses verbose logging to STDOUT (<TT>snort -v</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>dump_payload_verbose</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config dump_payload_verbose</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Dumps raw packet starting at link layer (<TT>snort -X</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>show_year</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config show_year</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Shows year in timestamps (<TT>snort -y</TT>).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>stateful</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config stateful</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets assurance mode for stream4 (est). See the stream4 reassemble configuration <A HREF="#stream4_reassemble_defaults"><IMG  ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>min_ttl</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config min_ttl:30</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets a Snort-wide minimum ttl to ignore all traffic.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_decode_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_decode_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off the alerts generated by the decode phase of Snort.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_experimental_
<BR>
alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_experiment
<BR>
al_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off alerts generated by experimental TCP options.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_experimental_
<BR>
alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_experiment
<BR>
al_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off alerts generated by experimental TCP options.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_obsolete_
<BR>
alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_obsolete_
<BR>
alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off alerts generated by obsolete TCP options.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_ttcp_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_ttcp_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off alerts generated by T/TCP options.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_ttcp_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_ttcp_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off alerts generated by T/TCP options.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables option length validation alerts.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_ipopt_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_ipopt_alerts</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables IP option length validation alerts.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_decode_drops</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_decode_drops</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables the dropping of
bad packets identified by decoder (only applicable in inline mode).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_experimental_
<BR>
drops</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_experi
<BR>
mental_drops</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables the dropping of bad packets with obsolete TCP option
        (only applicable in inline mode).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_ttcp_drops</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>disable_ttcp_drops</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables the dropping of bad packets with TCP echo option
        (only applicable in inline mode).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_drops</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_drops</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables the dropping of bad packets with bad/truncated TCP
        option (only applicable in inline mode).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_ipopt_drops</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_ipopt_drops</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables the dropping of bad packets with bad/truncated IP
        options (only applicable in inline mode).</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>flowbits_size</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config flowbits_size: 128</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Specifies the maximum number of flowbit tags that can be used within
        a ruleset.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>event_queue</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config event_queue: max_queue 512 log 100 order_events priority</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Specifies conditions about Snort's event queue. You can use the following options:

<UL>
<LI><TT>max_queue <IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img1.png"
 ALT="$&lt;$">integer<IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img2.png"
 ALT="$&gt;$"></TT> (max events supported)
</LI>
<LI><TT>log <IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img1.png"
 ALT="$&lt;$">integer<IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img2.png"
 ALT="$&gt;$"></TT> (number of events to log) 
</LI>
<LI><TT>order_events [priority<IMG
 WIDTH="8" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
 SRC="img8.png"
 ALT="$\vert$">content_length]</TT> (how to order events within the queue)
</LI>
</UL>
See Section <A HREF="node14.html#eventqueue"><IMG  ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A> for more information and examples.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>layer2resets</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config layer2resets: 00:06:76:DD:5F:E3</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>This option is only available when running in inline mode. See Section <A HREF="node7.html#Snort_Inline"><IMG  ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>detection</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config detection: search-method ac no_stream_inserts max_queue_events 128</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Makes changes to the detection engine. 
The following options can be used:
<UL>
<LI><TT>search-method<IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img1.png"
 ALT="$&lt;$">ac<IMG
 WIDTH="8" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
 SRC="img8.png"
 ALT="$\vert$">mwm<IMG
 WIDTH="8" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
 SRC="img8.png"
 ALT="$\vert$">lowmem<IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img2.png"
 ALT="$&gt;$"></TT>
</LI>
<LI><TT>no_stream_inserts</TT>
</LI>
<LI><TT>max_queue_events<IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img1.png"
 ALT="$&lt;$">integer<IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img2.png"
 ALT="$&gt;$"></TT>
</LI>
</UL></TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>asn1</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config asn1:256</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Specifies the maximum number of nodes to 
track when doing ASN1 decoding. See Section <A HREF="node11.html#asn1"><IMG  ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A> for more information and examples.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>snaplen</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config snaplen: 2048</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Set the snaplength of packet, same effect as 
-P <IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img1.png"
 ALT="$&lt;$">snaplen<IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img2.png"
 ALT="$&gt;$"> option.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>read_bin_file</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config read_bin_file: test_alert.pcap</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Specifies a pcap file to use 
(instead of reading from network),
        same effect as -r <IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img1.png"
 ALT="$&lt;$">tf<IMG
 WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img2.png"
 ALT="$&gt;$"> option.</TD>
</TR>
<TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>reference</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config reference: myref http://myurl.com/?id=</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Adds a new reference system to Snort.</TD>
</TR>
</TABLE>
</DIV>

<P>

<BR><HR>
<!--Table of Child-Links-->
<A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></A>

<UL>
<LI><UL>
<LI><A NAME="tex2html377"
  HREF="node10.html#SECTION00301000000000000000">2.0.1 Includes</A>
<LI><A NAME="tex2html378"
  HREF="node10.html#SECTION00302000000000000000">2.0.2 Variables </A>
<LI><A NAME="tex2html379"
  HREF="node10.html#SECTION00303000000000000000">2.0.3 Config</A>
</UL>
<BR>
<LI><A NAME="tex2html380"
  HREF="node11.html">2.1 Preprocessors</A>
<UL>
<LI><A NAME="tex2html381"
  HREF="node11.html#SECTION00311000000000000000">2.1.1 Portscan Detector</A>
<LI><A NAME="tex2html382"
  HREF="node11.html#SECTION00312000000000000000">2.1.2 Portscan Ignorehosts</A>
<LI><A NAME="tex2html383"
  HREF="node11.html#SECTION00313000000000000000">2.1.3 sfPortscan</A>
<LI><A NAME="tex2html384"
  HREF="node11.html#SECTION00314000000000000000">2.1.4 Frag2</A>
<LI><A NAME="tex2html385"
  HREF="node11.html#SECTION00315000000000000000">2.1.5 Stream4</A>
<LI><A NAME="tex2html386"
  HREF="node11.html#SECTION00316000000000000000">2.1.6 Flow</A>
<LI><A NAME="tex2html387"
  HREF="node11.html#SECTION00317000000000000000">2.1.7 Flow-Portscan</A>
<LI><A NAME="tex2html388"
  HREF="node11.html#SECTION00318000000000000000">2.1.8 Telnet Decode</A>
<LI><A NAME="tex2html389"
  HREF="node11.html#SECTION00319000000000000000">2.1.9 RPC Decode</A>
<LI><A NAME="tex2html390"
  HREF="node11.html#SECTION003110000000000000000">2.1.10 Performance Monitor</A>
<LI><A NAME="tex2html391"
  HREF="node11.html#SECTION003111000000000000000">2.1.11 HTTP Inspect </A>
<LI><A NAME="tex2html392"
  HREF="node11.html#SECTION003112000000000000000">2.1.12 ASN.1 Detection</A>
<LI><A NAME="tex2html393"
  HREF="node11.html#SECTION003113000000000000000">2.1.13 X-Link2State Mini-Preprocessor</A>
</UL>
<BR>
<LI><A NAME="tex2html394"
  HREF="node12.html">2.2 Event Thresholding</A>
<UL>
<LI><A NAME="tex2html395"
  HREF="node12.html#SECTION00321000000000000000">2.2.1 Standalone Options</A>
<LI><A NAME="tex2html396"
  HREF="node12.html#SECTION00322000000000000000">2.2.2 Standalone Format</A>
<LI><A NAME="tex2html397"
  HREF="node12.html#SECTION00323000000000000000">2.2.3 Rule Keyword Format</A>
<LI><A NAME="tex2html398"
  HREF="node12.html#SECTION00324000000000000000">2.2.4 Rule Keyword Format</A>
<LI><A NAME="tex2html399"
  HREF="node12.html#SECTION00325000000000000000">2.2.5 Examples</A>
</UL>
<BR>
<LI><A NAME="tex2html400"
  HREF="node13.html">2.3 Event Suppression</A>
<UL>
<LI><A NAME="tex2html401"
  HREF="node13.html#SECTION00331000000000000000">2.3.1 Format</A>
<LI><A NAME="tex2html402"
  HREF="node13.html#SECTION00332000000000000000">2.3.2 Examples</A>
</UL>
<BR>
<LI><A NAME="tex2html403"
  HREF="node14.html">2.4 Snort Multi-Event Logging (Event Queue)</A>
<UL>
<LI><A NAME="tex2html404"
  HREF="node14.html#SECTION00341000000000000000">2.4.1 Event Queue Configuration Options</A>
<LI><A NAME="tex2html405"
  HREF="node14.html#SECTION00342000000000000000">2.4.2 Event Queue Configuration Examples</A>
</UL>
<BR>
<LI><A NAME="tex2html406"
  HREF="node15.html">2.5 Output Modules</A>
<UL>
<LI><A NAME="tex2html407"
  HREF="node15.html#SECTION00351000000000000000">2.5.1 alert_syslog </A>
<LI><A NAME="tex2html408"
  HREF="node15.html#SECTION00352000000000000000">2.5.2 alert_fast</A>
<LI><A NAME="tex2html409"
  HREF="node15.html#SECTION00353000000000000000">2.5.3 alert_full</A>
<LI><A NAME="tex2html410"
  HREF="node15.html#SECTION00354000000000000000">2.5.4 alert_unixsock</A>
<LI><A NAME="tex2html411"
  HREF="node15.html#SECTION00355000000000000000">2.5.5 log_tcpdump</A>
<LI><A NAME="tex2html412"
  HREF="node15.html#SECTION00356000000000000000">2.5.6 database </A>
<LI><A NAME="tex2html413"
  HREF="node15.html#SECTION00357000000000000000">2.5.7 csv</A>
<LI><A NAME="tex2html414"
  HREF="node15.html#SECTION00358000000000000000">2.5.8 unified</A>
<LI><A NAME="tex2html415"
  HREF="node15.html#SECTION00359000000000000000">2.5.9 log null</A>
</UL></UL>
<!--End of Table of Child-Links-->
<HR>
<!--Navigation Panel-->
<A NAME="tex2html375"
  HREF="node11.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html371"
  HREF="snort_manual.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html365"
  HREF="node9.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html373"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html376"
  HREF="node11.html">2.1 Preprocessors</A>
<B> Up:</B> <A NAME="tex2html372"
  HREF="snort_manual.html">Snort<SUP>TM</SUP>Users Manual 2.3.3</A>
<B> Previous:</B> <A NAME="tex2html366"
  HREF="node9.html">1.7 More Information</A>
 &nbsp; <B>  <A NAME="tex2html374"
  HREF="node1.html">Contents</A></B> 
<!--End of Navigation Panel-->

</BODY>
</HTML>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional