Previous Section  < Day Day Up >  Next Section

Chapter 5. The snort.conf File

In Chapter 3, we took a (very) quick look at running Snort in alert mode (NIDS mode). When you changed the line in the snort.conf file that specified what path contained the rule files, you probably noticed that it is not a small file. There are a lot of settings in it and a newer version of Snort may include changes that can confuse even experts.

The snort.conf file controls everything about what Snort watches, how it defends itself from attack, what rules it uses to find malicious traffic, and even how it watches for potentially dangerous traffic that isn't defined by a signature. A thorough understanding of what is in this file and how to configure it is essential to a successful deployment of Snort as an IDS in your environment.

Take your time with this chapter. It might be useful to have the file in front of you—either on your computer or printed out. Make a copy of the default snort.conf file (found in the same directory you untared the rules in) so that you can go back to the default settings if you make a mistake or just want to start over. It is important to know that the settings in this file change as Snort changes—new features will be developed that need to be configured. If you move to a different version of Snort, examine the new snort.conf to make sure things haven't drastically changed.

Several of the options have suggested configurations that should work in most environments. The configurations attempt to reasonably compromise on sensitivity, false positive generation, and system load.

The file is organized into several sections (and consists mostly of comments and instructions to remind you of the some of the options available for the different configuration items):

Network and configuration variables
Snort decoder and detection engine configuration
Preprocessor configurations
Output configurations
File inclusions
    Previous Section  < Day Day Up >  Next Section