Previous Section  < Day Day Up >  Next Section

5.2 Snort Decoder and Detection Engine Configuration

The Snort decoder watches the structure of network packets to make sure they are constructed according to specification. If a packet has a strange size, strangely set options, or uncommon settings, Snort will generate an alert. If you are not concerned about these alerts or you find a large number of false positives, you can disable alerts generated by the Snort decoder. By default, all such alerts are enabled. To disable a particular type of alert, remove the comment character (#) at the beginning of the line. The Snort decoder configuration options are:

# config disable_decode_alerts

# config disable_tcpopt_experimental_alerts

# config disable_tcpopt_obsolete_alerts

# config disable_tcpopt_ttcp_alerts

# config disable_tcpopt_alerts

# config disable_ipopt_alerts

By default, the Snort decoder alerts on the use of some of the uncommon TCP option settings. Since it is rare to see them in a normal network conversation, it is assumed that their presence indicates nefarious activity. This may not be the case. The negative logic is a little weird, but if you want to disable the alerts generated by the decoder when it comes across one of these TCP options, remove the "#" character from the beginning of appropriate line.

The option that may not seem familiar is the disable_tcpopt_ttcp_alerts option. If you use T/TCP in your environment (a hybrid transaction protocol between TCP and UDP in function and used to facilitate web transactions—see RFC 1644 for details), you will want to disable alerts when Snort sees these options being used.

Please note that you can also insert many of the Snort command-line options in this portion of the snort.conf file, too. Table 5-1 shows some of these options.

Table 5-1. snort.conf configure options

Option

Description

config order: [pass, alert, log, activation, or dynamic]

Change the order that rules are evaluated.

config alertfile: alerts

Set the alerts output file.

config decode_arp

Turn on arp decoding (snort -a).

config dump_chars_only

Turn on character dumps (snort -C).

config dump_payload

Dump application layer information(snort -d).

config decode_data_link

Decode Layer2 headers (snort -e).

config bpf_file: filters.bpf

Specify BPF filters (snort -F).

config set_gid: 30

Change to GID to specified GID (snort -g).

config daemon

Run Snort in daemon mode (snort -D).

config interface: <interface name>

Set the network interface (snort -i).

config alert_with_interface_name

Append interface name to alert (snort -I).

config logdir: /var/log/snort

Set the logging directory (snort -l).

config umask: <umask>

Set umask when running (snort -m).

config pkt_count: N

Exit after N packets (snort -n).

config nolog

Disable logging. Note: alerts still occur (snort -N).

config obfuscate

Obfuscate IP addresses (snort -O).

config no_promisc

Disable promiscuous mode (snort -p).

config quiet

Disable banner and status reports (snort -q).

config chroot: /home/snort

Chroot to specified directory (snort -t).

config checksum_mode : all

Types of packets to calculate checksums. Values: none, noip, notcp, noicmp, noudp, or all.

config set_uid: <id>

Set UID to <id> (snort -u).

config utc

Use UTC instead of local time for timestamps (snort -U).

config verbose

Use Verbose logging to stdout (snort -v.)

config dump_payload_verbose

Dump raw packet starting at link layer (snort -X ).

config show_year

Show year in timestamps (snort -y).


    Previous Section  < Day Day Up >  Next Section