<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <!--Converted with LaTeX2HTML 2002-2-1 (1.71) original version by: Nikos Drakos, CBLU, University of Leeds * revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan * with significant contributions from: Jens Lippmann, Marek Rouchal, Martin Wilck and others --> <HTML> <HEAD> <TITLE>2. Configuring Snort </TITLE> <META NAME="description" CONTENT="2. Configuring Snort "> <META NAME="keywords" CONTENT="snort_manual"> <META NAME="resource-type" CONTENT="document"> <META NAME="distribution" CONTENT="global"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1"> <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css"> <LINK REL="STYLESHEET" HREF="snort_manual.css"> <LINK REL="next" HREF="node16.html"> <LINK REL="previous" HREF="node2.html"> <LINK REL="up" HREF="snort_manual.html"> <LINK REL="next" HREF="node11.html"> </HEAD> <BODY > <!--Navigation Panel--> <A NAME="tex2html375" HREF="node11.html"> <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> <A NAME="tex2html371" HREF="snort_manual.html"> <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> <A NAME="tex2html365" HREF="node9.html"> <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> <A NAME="tex2html373" HREF="node1.html"> <IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A> <BR> <B> Next:</B> <A NAME="tex2html376" HREF="node11.html">2.1 Preprocessors</A> <B> Up:</B> <A NAME="tex2html372" HREF="snort_manual.html">Snort<SUP>TM</SUP>Users Manual 2.3.3</A> <B> Previous:</B> <A NAME="tex2html366" HREF="node9.html">1.7 More Information</A> <B> <A NAME="tex2html374" HREF="node1.html">Contents</A></B> <BR> <BR> <!--End of Navigation Panel--> <H1><A NAME="SECTION00300000000000000000"></A><A NAME="Configuring_Snort"></A> <BR> 2. Configuring Snort </H1> <P> <H2><A NAME="SECTION00301000000000000000"> 2.0.1 Includes</A> </H2> <P> The <TT>include</TT> keyword allows other rule files to be included within the rules file indicated on the Snort command line. It works much like an #include from the C programming language, reading the contents of the named file and adding the contents in the place where the include statement appears in the file. <P> <H3><A NAME="SECTION00301100000000000000"> 2.0.1.1 Format</A> </H3> <PRE> include: <include file path/name> </PRE> <P> <BR> <BR><I> <FONT SIZE="+4"><IMG WIDTH="18" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img3.png" ALT="$\triangle$"> <FONT SIZE="+2"><IMG WIDTH="8" HEIGHT="20" ALIGN="BOTTOM" BORDER="0" SRC="img4.png" ALT="$^!$"></FONT></FONT> <FONT SIZE="+2">NOTE</FONT> </I> <DIV ALIGN="CENTER"> </DIV> <P> <DIV ALIGN="CENTER"> <BR> </DIV> <P> <DIV ALIGN="CENTER"> <!-- MATH $\fbox{ \usebox{ \savepar } }$ --> <IMG WIDTH="714" HEIGHT="76" ALIGN="MIDDLE" BORDER="0" SRC="img5.png" ALT="\fbox{ \usebox{ \savepar } }"> </DIV> <P> <DIV ALIGN="CENTER"> </DIV> <P> Included files will substitute any predefined variable values into their own variable references. See Section (<A HREF="#variables"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>) for more information on defining and using variables in Snort rule files. <P> <H2><A NAME="SECTION00302000000000000000"></A><A NAME="variables"></A> <BR> 2.0.2 Variables </H2> <P> Variables may be defined in Snort. These are simple substitution variables set with the <TT>var</TT> keyword as shown in Figure <A HREF="#variable_definition"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>. <P> <H3><A NAME="SECTION00302100000000000000"> 2.0.2.1 Format</A> </H3> <P> <PRE> var: <name> <value> </PRE> <P> <DIV ALIGN="CENTER"><A NAME="variable_definition"></A><A NAME="2118"></A> <TABLE> <CAPTION ALIGN="BOTTOM"><STRONG>Figure:</STRONG> Example of Variable Definition and Usage</CAPTION> <TR><TD><IMG WIDTH="507" HEIGHT="34" BORDER="0" SRC="img6.png" ALT="\begin{figure}\begin{verbatim}var MY_NET [192.168.1.0/24,10.1.1.0/24] alert tc... ...y -> $MY_NET any (flags:S; msg:''SYN packet'';)\end{verbatim} \par\end{figure}"></TD></TR> </TABLE> </DIV> <P> Rule variable names can be modified in several ways. You can define meta-variables using the $ operator. These can be used with the variable modifier operators <TT>?</TT> and <TT>-</TT>, as described in the following table: <P> <TABLE CELLPADDING=3 BORDER="1"> <TR><TH ALIGN="LEFT"><B>Variable Syntax</B></TH> <TH ALIGN="LEFT" VALIGN="TOP" WIDTH=360><B>Description</B></TH> </TR> <TR><TD ALIGN="LEFT"><TT>$var</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=360>Defines a meta-variable.</TD> </TR> <TR><TD ALIGN="LEFT"><TT>$(var)</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=360>Replaces with the contents of variable <TT>var</TT>.</TD> </TR> <TR><TD ALIGN="LEFT"><TT>$(var:-default)</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=360>Replaces the contents of the variable <TT>var</TT> with ``default'' if <TT>var</TT> is undefined.</TD> </TR> <TR><TD ALIGN="LEFT"><TT>$(var:?message)</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=360>Replaces with the contents of variable <TT>var</TT> or prints out the error message and exits.</TD> </TR> </TABLE> <P> See Figure <A HREF="#advanced_variable_usage"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A> for an example of advanced variable usage in action. <P> <DIV ALIGN="CENTER"><A NAME="advanced_variable_usage"></A><A NAME="2120"></A> <TABLE> <CAPTION ALIGN="BOTTOM"><STRONG>Figure:</STRONG> Figure Advanced Variable Usage Example</CAPTION> <TR><TD><IMG WIDTH="442" HEIGHT="34" BORDER="0" SRC="img7.png" ALT="\begin{figure}\begin{verbatim}var MY_NET 192.168.1.0/24 log tcp any any -> $(MY_NET:?MY_NET is undefined!) 23\end{verbatim} \par\end{figure}"></TD></TR> </TABLE> </DIV> <P> <H2><A NAME="SECTION00303000000000000000"> 2.0.3 Config</A> </H2> <P> Many configuration and command line options of Snort can be specified in the configuration file. <P> <H3><A NAME="SECTION00303100000000000000"> 2.0.3.1 Format</A> </H3> <P> <DIV ALIGN="CENTER"> </DIV><PRE> config <directive> [: <value>] </PRE> <DIV ALIGN="CENTER"> </DIV> <P> <H3><A NAME="SECTION00303200000000000000"> 2.0.3.2 Directives</A> </H3> <DIV ALIGN="CENTER"> <A NAME="266"></A> <TABLE CELLPADDING=3 BORDER="1"> <CAPTION><STRONG>Table:</STRONG> Config Directives</CAPTION> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><B>Command</B></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><B>Example</B></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><B>Description</B></TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>order</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config order: pass alert log activation</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Changes the order that rules are evaluated.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>alertfile</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config alertfile: alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets the alerts output file.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>classification</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config classification: misc-activity,Misc activity,3</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>See Table <A HREF="#Snort_Default_Classifications"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A> for a list of classifications.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>dump_chars_only</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config dump_chars_only</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns on character dumps (<TT>snort -C</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>dump_payload</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config dump_payload</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Dumps application layer (<TT>snort -d</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>decode_data_link</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config decode_data_link</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Decodes Layer2 headers (<TT>snort -e</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>bpf_file</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config bpf_file: filters.bpf</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Specifies BPF filters (<TT>snort -F</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>daemon</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config daemon</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Forks as a daemon (<TT>snort -D</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>interface</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config interface: xl0</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets the network interface (<TT>snort -i</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>alert_with_interface_name</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config alert_with_interface_name</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Appends interface name to alert (<TT>snort -I</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>logdir</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config logdir: /var/log/snort</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets the logdir (<TT>snort -l</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>umask</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config umask: 022</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets umask when running (<TT>snort -m</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>pkt_count</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config pkt_count: 13</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Exits after N packets (<TT>snort -n</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>nolog</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config nolog</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables logging. Note: Alerts will still occur. (<TT>snort -N</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>obfuscate</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config obfuscate</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Obfuscates IP Addresses (<TT>snort -O</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>no_promisc</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config no_promisc</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables promiscuous mode (<TT>snort -p</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>quiet</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config quiet</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables banner and status reports (<TT>snort -q</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>chroot</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config chroot: /home/snort</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Chroots to specified dir (<TT>snort -t</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>checksum_mode</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config checksum_mode : all</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Types of packets to calculate checksums. Values: <TT>none</TT>, <TT>noip</TT>, <TT>notcp</TT>, <TT>noicmp</TT>, <TT>noudp</TT>, <TT>ip</TT>, <TT>tcp</TT>, <TT>udp</TT>, <TT>icmp</TT> or <TT>all</TT>.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>set_gid</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config set_gid: 30</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Changes GID to specified GID (<TT>snort -g</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>set_uid</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>set_uid: snort_user</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets UID to <IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img1.png" ALT="$<$">id<IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img2.png" ALT="$>$"> (<TT>snort -u</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>utc</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config utc</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Uses UTC instead of local time for timestamps (<TT>snort -U</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>verbose</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config verbose</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Uses verbose logging to STDOUT (<TT>snort -v</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>dump_payload_verbose</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config dump_payload_verbose</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Dumps raw packet starting at link layer (<TT>snort -X</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>show_year</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config show_year</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Shows year in timestamps (<TT>snort -y</TT>).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>stateful</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config stateful</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets assurance mode for stream4 (est). See the stream4 reassemble configuration <A HREF="#stream4_reassemble_defaults"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>min_ttl</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config min_ttl:30</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Sets a Snort-wide minimum ttl to ignore all traffic.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_decode_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_decode_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off the alerts generated by the decode phase of Snort.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_experimental_ <BR> alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_experiment <BR> al_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off alerts generated by experimental TCP options.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_experimental_ <BR> alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_experiment <BR> al_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off alerts generated by experimental TCP options.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_obsolete_ <BR> alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_obsolete_ <BR> alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off alerts generated by obsolete TCP options.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_ttcp_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_ttcp_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off alerts generated by T/TCP options.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_ttcp_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_ttcp_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Turns off alerts generated by T/TCP options.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables option length validation alerts.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_ipopt_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_ipopt_alerts</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables IP option length validation alerts.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_decode_drops</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_decode_drops</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables the dropping of bad packets identified by decoder (only applicable in inline mode).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_experimental_ <BR> drops</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_experi <BR> mental_drops</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables the dropping of bad packets with obsolete TCP option (only applicable in inline mode).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_ttcp_drops</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>disable_ttcp_drops</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables the dropping of bad packets with TCP echo option (only applicable in inline mode).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_tcpopt_drops</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_tcpopt_drops</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables the dropping of bad packets with bad/truncated TCP option (only applicable in inline mode).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>disable_ipopt_drops</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config disable_ipopt_drops</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Disables the dropping of bad packets with bad/truncated IP options (only applicable in inline mode).</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>flowbits_size</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config flowbits_size: 128</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Specifies the maximum number of flowbit tags that can be used within a ruleset.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>event_queue</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config event_queue: max_queue 512 log 100 order_events priority</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Specifies conditions about Snort's event queue. You can use the following options: <UL> <LI><TT>max_queue <IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img1.png" ALT="$<$">integer<IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img2.png" ALT="$>$"></TT> (max events supported) </LI> <LI><TT>log <IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img1.png" ALT="$<$">integer<IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img2.png" ALT="$>$"></TT> (number of events to log) </LI> <LI><TT>order_events [priority<IMG WIDTH="8" HEIGHT="32" ALIGN="MIDDLE" BORDER="0" SRC="img8.png" ALT="$\vert$">content_length]</TT> (how to order events within the queue) </LI> </UL> See Section <A HREF="node14.html#eventqueue"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A> for more information and examples.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>layer2resets</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config layer2resets: 00:06:76:DD:5F:E3</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>This option is only available when running in inline mode. See Section <A HREF="node7.html#Snort_Inline"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>detection</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config detection: search-method ac no_stream_inserts max_queue_events 128</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Makes changes to the detection engine. The following options can be used: <UL> <LI><TT>search-method<IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img1.png" ALT="$<$">ac<IMG WIDTH="8" HEIGHT="32" ALIGN="MIDDLE" BORDER="0" SRC="img8.png" ALT="$\vert$">mwm<IMG WIDTH="8" HEIGHT="32" ALIGN="MIDDLE" BORDER="0" SRC="img8.png" ALT="$\vert$">lowmem<IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img2.png" ALT="$>$"></TT> </LI> <LI><TT>no_stream_inserts</TT> </LI> <LI><TT>max_queue_events<IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img1.png" ALT="$<$">integer<IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img2.png" ALT="$>$"></TT> </LI> </UL></TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>asn1</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config asn1:256</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Specifies the maximum number of nodes to track when doing ASN1 decoding. See Section <A HREF="node11.html#asn1"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A> for more information and examples.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>snaplen</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config snaplen: 2048</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Set the snaplength of packet, same effect as -P <IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img1.png" ALT="$<$">snaplen<IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img2.png" ALT="$>$"> option.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>read_bin_file</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config read_bin_file: test_alert.pcap</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Specifies a pcap file to use (instead of reading from network), same effect as -r <IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img1.png" ALT="$<$">tf<IMG WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0" SRC="img2.png" ALT="$>$"> option.</TD> </TR> <TR><TD ALIGN="LEFT" VALIGN="TOP" WIDTH=144><TT>reference</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162><TT>config reference: myref http://myurl.com/?id=</TT></TD> <TD ALIGN="LEFT" VALIGN="TOP" WIDTH=162>Adds a new reference system to Snort.</TD> </TR> </TABLE> </DIV> <P> <BR><HR> <!--Table of Child-Links--> <A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></A> <UL> <LI><UL> <LI><A NAME="tex2html377" HREF="node10.html#SECTION00301000000000000000">2.0.1 Includes</A> <LI><A NAME="tex2html378" HREF="node10.html#SECTION00302000000000000000">2.0.2 Variables </A> <LI><A NAME="tex2html379" HREF="node10.html#SECTION00303000000000000000">2.0.3 Config</A> </UL> <BR> <LI><A NAME="tex2html380" HREF="node11.html">2.1 Preprocessors</A> <UL> <LI><A NAME="tex2html381" HREF="node11.html#SECTION00311000000000000000">2.1.1 Portscan Detector</A> <LI><A NAME="tex2html382" HREF="node11.html#SECTION00312000000000000000">2.1.2 Portscan Ignorehosts</A> <LI><A NAME="tex2html383" HREF="node11.html#SECTION00313000000000000000">2.1.3 sfPortscan</A> <LI><A NAME="tex2html384" HREF="node11.html#SECTION00314000000000000000">2.1.4 Frag2</A> <LI><A NAME="tex2html385" HREF="node11.html#SECTION00315000000000000000">2.1.5 Stream4</A> <LI><A NAME="tex2html386" HREF="node11.html#SECTION00316000000000000000">2.1.6 Flow</A> <LI><A NAME="tex2html387" HREF="node11.html#SECTION00317000000000000000">2.1.7 Flow-Portscan</A> <LI><A NAME="tex2html388" HREF="node11.html#SECTION00318000000000000000">2.1.8 Telnet Decode</A> <LI><A NAME="tex2html389" HREF="node11.html#SECTION00319000000000000000">2.1.9 RPC Decode</A> <LI><A NAME="tex2html390" HREF="node11.html#SECTION003110000000000000000">2.1.10 Performance Monitor</A> <LI><A NAME="tex2html391" HREF="node11.html#SECTION003111000000000000000">2.1.11 HTTP Inspect </A> <LI><A NAME="tex2html392" HREF="node11.html#SECTION003112000000000000000">2.1.12 ASN.1 Detection</A> <LI><A NAME="tex2html393" HREF="node11.html#SECTION003113000000000000000">2.1.13 X-Link2State Mini-Preprocessor</A> </UL> <BR> <LI><A NAME="tex2html394" HREF="node12.html">2.2 Event Thresholding</A> <UL> <LI><A NAME="tex2html395" HREF="node12.html#SECTION00321000000000000000">2.2.1 Standalone Options</A> <LI><A NAME="tex2html396" HREF="node12.html#SECTION00322000000000000000">2.2.2 Standalone Format</A> <LI><A NAME="tex2html397" HREF="node12.html#SECTION00323000000000000000">2.2.3 Rule Keyword Format</A> <LI><A NAME="tex2html398" HREF="node12.html#SECTION00324000000000000000">2.2.4 Rule Keyword Format</A> <LI><A NAME="tex2html399" HREF="node12.html#SECTION00325000000000000000">2.2.5 Examples</A> </UL> <BR> <LI><A NAME="tex2html400" HREF="node13.html">2.3 Event Suppression</A> <UL> <LI><A NAME="tex2html401" HREF="node13.html#SECTION00331000000000000000">2.3.1 Format</A> <LI><A NAME="tex2html402" HREF="node13.html#SECTION00332000000000000000">2.3.2 Examples</A> </UL> <BR> <LI><A NAME="tex2html403" HREF="node14.html">2.4 Snort Multi-Event Logging (Event Queue)</A> <UL> <LI><A NAME="tex2html404" HREF="node14.html#SECTION00341000000000000000">2.4.1 Event Queue Configuration Options</A> <LI><A NAME="tex2html405" HREF="node14.html#SECTION00342000000000000000">2.4.2 Event Queue Configuration Examples</A> </UL> <BR> <LI><A NAME="tex2html406" HREF="node15.html">2.5 Output Modules</A> <UL> <LI><A NAME="tex2html407" HREF="node15.html#SECTION00351000000000000000">2.5.1 alert_syslog </A> <LI><A NAME="tex2html408" HREF="node15.html#SECTION00352000000000000000">2.5.2 alert_fast</A> <LI><A NAME="tex2html409" HREF="node15.html#SECTION00353000000000000000">2.5.3 alert_full</A> <LI><A NAME="tex2html410" HREF="node15.html#SECTION00354000000000000000">2.5.4 alert_unixsock</A> <LI><A NAME="tex2html411" HREF="node15.html#SECTION00355000000000000000">2.5.5 log_tcpdump</A> <LI><A NAME="tex2html412" HREF="node15.html#SECTION00356000000000000000">2.5.6 database </A> <LI><A NAME="tex2html413" HREF="node15.html#SECTION00357000000000000000">2.5.7 csv</A> <LI><A NAME="tex2html414" HREF="node15.html#SECTION00358000000000000000">2.5.8 unified</A> <LI><A NAME="tex2html415" HREF="node15.html#SECTION00359000000000000000">2.5.9 log null</A> </UL></UL> <!--End of Table of Child-Links--> <HR> <!--Navigation Panel--> <A NAME="tex2html375" HREF="node11.html"> <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> <A NAME="tex2html371" HREF="snort_manual.html"> <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> <A NAME="tex2html365" HREF="node9.html"> <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> <A NAME="tex2html373" HREF="node1.html"> <IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A> <BR> <B> Next:</B> <A NAME="tex2html376" HREF="node11.html">2.1 Preprocessors</A> <B> Up:</B> <A NAME="tex2html372" HREF="snort_manual.html">Snort<SUP>TM</SUP>Users Manual 2.3.3</A> <B> Previous:</B> <A NAME="tex2html366" HREF="node9.html">1.7 More Information</A> <B> <A NAME="tex2html374" HREF="node1.html">Contents</A></B> <!--End of Navigation Panel--> </BODY> </HTML>