Snort configuration -- snort.conf file

This portion of Snort Report helps channel professionals understand the snort.conf file.

In the first Snort Report we created a "configuration file" called snortconf.test that contained a single ICMP rule. Invoking that configuration file via the -c switch put Snort in intrusion detection mode. In production, Snort packages a snort.conf configuration file in the etc/ directory. This directory will not appear in the /usr/local/snort-2.6.1.2/ directory, but it will be in the /usr/local/src/snort-2.6.1.2/etc/ directory. The snort.conf file is the place where a variety of configuration options can be set, and it is the preferred place to control Snort's operation.

Here I will start with a blank configuration file, called snort-2.6.1.2.20dec06a.conf, and add values as I describe their function. In this article I address only those functions enabled by default in snort.conf. I'll address the functions disabled by default in future articles.


Snort: Understanding the configuration file

  Introduction: Upgrade to Snort 2.6.1.2
 The snort.conf file
  Defining IP ranges of interest
  Defining ports of interest
  Core preprocessors
  Non-dynamic preprocessors
  Conclusion

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

This was first published in January 2007

Dig deeper on Network security products, technologies, services

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close