Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Preprocessors Up: Config Previous: Format   Contents

Directives

Table 2.1: Config Directives
Command Example Description
alert_with_interface_name config alert_with_interface_name Appends interface name to alert (snort -I).
alertfile config alertfile: alerts Sets the alerts output file.
asn1 config asn1:256 Specifies the maximum number of nodes to track when doing ASN1 decoding. See Section 3.5.17 for more information and examples.
bpf_file config bpf_file: filters.bpf Specifies BPF filters (snort -F).
checksum_drop config checksum_drop : all Types of packets to drop if invalid checksums. Values: none, noip, notcp, noicmp, noudp, ip, tcp, udp, icmp or all (only applicable in inline mode and for packets checked per checksum_mode config option).
checksum_mode config checksum_mode : all Types of packets to calculate checksums. Values: none, noip, notcp, noicmp, noudp, ip, tcp, udp, icmp or all.
chroot config chroot: /home/snort Chroots to specified dir (snort -t).
classification config classification: misc-activity,Misc activity,3 See Table 3.2 for a list of classifications.
daemon config daemon Forks as a daemon (snort -D).
decode_data_link config decode_data_link Decodes Layer2 headers (snort -e).
default_rule_state config default_rule_state: disabled Global configuration directive to enable or disable the loading of rules into the detection engine. Default (with or without directive) is enabled. Specify disabled to disable loading rules.
detection config detection: search-method ac no_stream_inserts max_queue_events 128 Makes changes to the detection engine. The following options can be used:
  • search-method $<$ac $\vert$ ac-std $\vert$ ac-bnfa $\vert$ acs $\vert$ ac-banded $\vert$ ac-sparsebands $\vert$ lowmem $>$
    • ac Aho-Corasick Full (high memory, best performance)
    • ac-std Aho-Corasick Standard (moderate memory, high performance)
    • ac-bnfa Aho-Corasick NFA (low memory, high performance)
    • acs Aho-Corasick Sparse (small memory, moderate performance)
    • ac-banded Aho-Corasick Banded (small memory, moderate performance)
    • ac-sparsebands Aho-Corasick Sparse-Banded (small memory, high performance)
    • lowmem Low Memory Keyword Trie (small memory, low performance)
  • no_stream_inserts
  • max_queue_events$<$integer$>$
disable_decode_alerts config disable_decode_alerts Turns off the alerts generated by the decode phase of Snort.
disable_inline_init_failopen config disable_inline_init_
failopen		 Disables failopen thread that allows inline traffic to pass while Snort is starting up. Only useful if Snort was configured with -enable-inline-init-failopen. (snort -disable-inline-init-failopen)
disable_ipopt_alerts config disable_ipopt_alerts Disables IP option length validation alerts.
disable_tcpopt_alerts config disable_tcpopt_alerts Disables option length validation alerts.
disable_tcpopt_experimental_
alerts		 config disable_tcpopt_experiment
al_alerts		 Turns off alerts generated by experimental TCP options.
disable_tcpopt_obsolete_
alerts		 config disable_tcpopt_obsole
te_alerts		 Turns off alerts generated by obsolete TCP options.
disable_tcpopt_ttcp_alerts config disable_tcpopt_ttcp_alerts Turns off alerts generated by T/TCP options.
disable_ttcp_alerts config disable_ttcp_alerts Turns off alerts generated by T/TCP options.
dump_chars_only config dump_chars_only Turns on character dumps (snort -C).
dump_payload config dump_payload Dumps application layer (snort -d).
dump_payload_verbose config dump_payload_verbose Dumps raw packet starting at link layer (snort -X).
enable_decode_drops config enable_decode_drops Enables the dropping of bad packets identified by decoder (only applicable in inline mode).
enable_decode_oversized_
alerts		 config enable_decode_oversized_
alerts		 Enable alerting on packets that have headers containing length fields for which the value is greater than the length of the packet.
enable_decode_oversized_drops config enable_decode_oversized_
drops		 Enable dropping packets that have headers containing length fields for which the value is greater than the length of the packet. enable_decode_oversized_alerts must also be enabled for this to be effective (only applicable in inline mode).
enable_ipopt_drops config enable_ipopt_drops Enables the dropping of bad packets with bad/truncated IP options (only applicable in inline mode).
enable_tcpopt_drops config enable_tcpopt_drops Enables the dropping of bad packets with bad/truncated TCP option (only applicable in inline mode).
enable_tcpopt_experimental_
drops		 config enable_tcpopt_experi
mental_drops		 Enables the dropping of bad packets with experimental TCP option. (only applicable in inline mode).
enable_tcpopt_obsolete_
drops		 config enable_tcpopt_obsole
te_drops		 Enables the dropping of bad packets with obsolete TCP option. (only applicable in inline mode).
enable_tcpopt_ttcp_drops enable_tcpopt_ttcp_drops Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).
enable_ttcp_drops enable_ttcp_drops Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).
event_queue config event_queue: max_queue 512 log 100 order_events priority Specifies conditions about Snort's event queue. You can use the following options:
  • max_queue $<$integer$>$ (max events supported)
  • log $<$integer$>$ (number of events to log)
  • order_events [priority$\vert$content_length] (how to order events within the queue)
See Section 3.10 for more information and examples.
flexresp2_attempts config flexresp2_attempts: 15 Specify the number of TCP reset packets to send to the source of the attack. Valid values are 0 to 20, however values less than 4 will default to 4. The default value without this option is 4. (Snort must be compiled with -enable-flexresp2)
flexresp2_interface config flexresp2_interface: eth0 Specify the response interface to use. In Windows this can also be the interface number. (Snort must be compiled with -enable-flexresp2)
flexresp2_memcap config flexresp2_memcap: 100000 Specify the memcap for the hash table used to track the time of responses. The times (hashed on a socket pair plus protocol) are used to limit sending a response to the same half of a socket pair every couple of seconds. Default is 1048576 bytes. (Snort must be compiled with -enable-flexresp2)
flexresp2_rows config flexresp2_rows: 2048 Specify the number of rows for the hash table used to track the time of responses. Default is 1024 rows. (Snort must be compiled with -enable-flexresp2)
flowbits_size config flowbits_size: 128 Specifies the maximum number of flowbit tags that can be used within a rule set.
ignore_ports config ignore_ports: udp 1:17 53 Specifies ports to ignore (useful for ignoring noisy NFS traffic). Specify the protocol (TCP, UDP, IP, or ICMP), followed by a list of ports. Port ranges are supported.
interface config interface: xl0 Sets the network interface (snort -i).
ipv6_frag config ipv6_frag: bsd_icmp_frag_alert off, bad_ipv6_frag_alert off, frag_timeout 120, max_frag_sessions 100000 The following options can be used:
  • bsd_icmp_frag_alert on|off (Specify whether or not to alert. Default is on)
  • bad_ipv6_frag_alert on|off (Specify whether or not to alert. Default is on)
  • frag_timeout $<$integer$>$ (Specify amount of time in seconds to timeout first frag in hash table)
  • max_frag_sessions $<$integer$>$ (Specify the number of fragments to track in the hash table)
layer2resets config layer2resets: 00:06:76:DD:5F:E3 This option is only available when running in inline mode. See Section 1.5.
logdir config logdir: /var/log/snort Sets the logdir (snort -l).
max_attribute_hosts config max_attribute_hosts:16384 Sets a limit on the maximum number of hosts to read from the attribute table. Minimum value is 8192 and the maximum is 524288 (512k). The default is 10000. If the number of hosts in the attribute table exceeds this value, an error is logged and the remainder of the hosts are ignored. This option is only supported with a Host Attribute Table (see section 2.5).
min_ttl config min_ttl:30 Sets a Snort-wide minimum ttl to ignore all traffic.
no_promisc config no_promisc Disables promiscuous mode (snort -p).
nolog config nolog Disables logging. Note: Alerts will still occur. (snort -N).
nopcre config nopcre Disables pcre pattern matching.
pcre_match_limit config pcre_match_limit: $<$integer$>$ Restricts the amount of backtracking a given PCRE option. For example, it will limit the number of nested repeats within a pattern. A value of -1 allows for unlimited PCRE, up to the PCRE library compiled limit (around 10 million). A value of 0 results in no PCRE evaluation. The snort default value is 1500.
pcre_match_limit_recursion config pcre_match_limit_recursion: $<$integer$>$ Restricts the amount of stack used by a given PCRE option. A value of -1 allows for unlimited PCRE, up to the PCRE library compiled limit (around 10 million). A value of 0 results in no PCRE evaluation. The snort default value is 1500. This option is only useful if the value is less than the pcre_match_limit
obfuscate config obfuscate Obfuscates IP Addresses (snort -O).
order config order: pass alert log activation Changes the order that rules are evaluated.
pidpath config pidpath: /var/snort Set path to directory to store snort pid file.
pkt_count config pkt_count: 13 Exits after N packets (snort -n).
profile_preprocs config profile_preprocs Print statistics on preprocessor performance. See Section 2.3.2 for more details.
profile_rules config profile_rules Print statistics on rule performance. See Section 2.3.1 for more details.
quiet config quiet Disables banner and status reports (snort -q).
read_bin_file config read_bin_file: test_alert.pcap Specifies a pcap file to use (instead of reading from network), same effect as -r $<$tf$>$ option.
reference config reference: myref http://myurl.com/?id= Adds a new reference system to Snort.
reference_net config reference_net 192.168.0.0/24 For IP obfuscation, the obfuscated net will be used if the packet contains an IP address in the reference net. Also used to determine how to set up the logging directory structure for the session post detection rule option and ascii output plugin - an attempt is made to name the log directories after the IP address that is not in the reference net.
set_gid config set_gid: 30 Changes GID to specified GID (snort -g).
set_uid set_uid: snort_user Sets UID to $<$id$>$ (snort -u).
show_year config show_year Shows year in timestamps (snort -y).
snaplen config snaplen: 2048 Set the snaplength of packet, same effect as -P $<$snaplen$>$ or -snaplen $<$snaplen$>$ options.
stateful config stateful Sets assurance mode for stream4 (est). See the stream4_reassemble configuration in table 2.3.
tagged_packet_limit config tagged_packet_limit: 512 When a metric other than packets is used in a tag option in a rule, this option sets the maximum number of packets to be tagged regardless of the amount defined by the other metric. See Section 3.7.5 on using the tag option when writing rules for more details. The default value when this option is not configured is 256 packets. Setting this option to a value of 0 will disable the packet limit.
threshold config threshold: memcap 100000 Set global memcap in bytes for thresholding. Default is 1048576 bytes (1 megabyte).
umask config umask: 022 Sets umask when running (snort -m).
utc config utc Uses UTC instead of local time for timestamps (snort -U).
verbose config verbose Uses verbose logging to STDOUT (snort -v).

next up previous contents
Next: Preprocessors Up: Config Previous: Format   Contents
Steven Sturges 2008-04-01
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.