8/29/13

2.1 Includes

Next: 2.2 Preprocessors Up: 2. Configuring Snort Previous: 2. Configuring Snort Contents Subsections 2.1.1 Format 2.1.2 Variables 2.1.2.1 IP Variables and IP Lists 2.1.2.2 Port Variables and Port Lists 2.1.2.3 Variable Modifiers 2.1.2.4 Limitations 2.1.3 Config 2.1.3.1 Format

2.1 Includes
The i n c l u d ekeyword allows other snort config files to be included within the snort.conf indicated on the Snort command line. It works much like an #include from the C programming language, reading the contents of the named file and adding the contents in the place where the include statement appears in the file.

2.1.1 Format
i n c l u d e< i n c l u d ef i l ep a t h / n a m e >

Note: Note that there is no semicolon at the end of this line. Included files will substitute any predefined variable values into their own variable references. See Section for more information on defining and using variables in Snort config files.

2.1.2 Variables
Three types of variables may be defined in Snort: var portvar ipvar These are simple substitution variables set with the v a r ,i p v a r , or p o r t v a rkeywords as follows:
v a rR U L E S _ P A T Hr u l e s /
manual.snort.org/node16.html 1/18

8/29/13

2.1 Includes

p o r t v a rM Y _ P O R T S[ 2 2 , 8 0 , 1 0 2 4 : 1 0 5 0 ] i p v a rM Y _ N E T[ 1 9 2 . 1 6 8 . 1 . 0 / 2 4 , 1 0 . 1 . 1 . 0 / 2 4 ] a l e r tt c pa n ya n y>$ M Y _ N E T$ M Y _ P O R T S( f l a g s : S ;m s g : " S Y Np a c k e t " ; ) i n c l u d e$ R U L E _ P A T H / e x a m p l e . r u l e

2.1.2.1 IP Variables and IP Lists

IPs may be specified individually, in a list, as a CIDR block, or any combination of the three. IP variables should be specified using 'ipvar' instead of 'var'. Using 'var' for an IP variable is still allowed for backward compatibility, but it will be deprecated in a future release. IPs, IP lists, and CIDR blocks may be negated with '!'. Negation is handled differently compared with Snort versions 2.7.x and earlier. Previously, each element in a list was logically OR'ed together. IP lists now OR non-negated elements and AND the result with the OR'ed negated elements. The following example list will match the IP 1.1.1.1 and IP from 2.2.2.0 to 2.2.2.255, with the exception of IPs 2.2.2.2 and 2.2.2.3.
[ 1 . 1 . 1 . 1 , 2 . 2 . 2 . 0 / 2 4 , ! [ 2 . 2 . 2 . 2 , 2 . 2 . 2 . 3 ] ]

The order of the elements in the list does not matter. The element 'any' can be used to match all IPs, although '!any' is not allowed. Also, negated IP ranges that are more general than non-negated IP ranges are not allowed. See below for some valid examples if IP variables and IP lists.
i p v a rE X A M P L E[ 1 . 1 . 1 . 1 , 2 . 2 . 2 . 0 / 2 4 , ! [ 2 . 2 . 2 . 2 , 2 . 2 . 2 . 3 ] ] a l e r tt c p$ E X A M P L Ea n y>a n ya n y( m s g : " E x a m p l e " ;s i d : 1 ; ) a l e r tt c p[ 1 . 0 . 0 . 0 / 8 , ! 1 . 1 . 1 . 0 / 2 4 ]a n y>a n ya n y( m s g : " E x a m p l e " ; s i d : 2 ; )

The following examples demonstrate some invalid uses of IP variables and IP lists. Use of !any:
i p v a rE X A M P L Ea n y a l e r tt c p! $ E X A M P L Ea n y>a n ya n y( m s g : " E x a m p l e " ; s i d : 3 ; )

Different use of !any:

i p v a rE X A M P L E! a n y a l e r tt c p$ E X A M P L Ea n y>a n ya n y( m s g : " E x a m p l e " ; s i d : 3 ; )

Logical contradictions:
i p v a rE X A M P L E[ 1 . 1 . 1 . 1 , ! 1 . 1 . 1 . 1 ]

Nonsensical negations:
i p v a rE X A M P L E[ 1 . 1 . 1 . 0 / 2 4 , ! 1 . 1 . 0 . 0 / 1 6 ]

2.1.2.2 Port Variables and Port Lists

manual.snort.org/node16.html 2/18

8/29/13

2.1 Includes

Portlists supports the declaration and lookup of ports and the representation of lists and ranges of ports. Variables, ranges, or lists may all be negated with '!'. Also, 'any' will specify any ports, but '!any' is not allowed. Valid port ranges are from 0 to 65535. Lists of ports must be enclosed in brackets and port ranges may be specified with a ':', such as in:
[ 1 0 : 5 0 , 8 8 8 : 9 0 0 ]

Port variables should be specified using 'portvar'. The use of 'var' to declare a port variable will be deprecated in a future release. For backwards compatibility, a 'var' can still be used to declare a port variable, provided the variable name either ends with '_PORT' or begins with 'PORT_'. The following examples demonstrate several valid usages of both port variables and port lists.
p o r t v a rE X A M P L E 18 0 v a rE X A M P L E 2 _ P O R T[ 8 0 : 9 0 ] v a rP O R T _ E X A M P L E 2[ 1 ] p o r t v a rE X A M P L E 3a n y p o r t v a rE X A M P L E 4[ ! 7 0 : 9 0 ] p o r t v a rE X A M P L E 5[ 8 0 , 9 1 : 9 5 , 1 0 0 : 2 0 0 ] a l e r tt c pa n y$ E X A M P L E 1>a n y$ E X A M P L E 2 _ P O R T( m s g : " E x a m p l e " ;s i d : 1 ; ) a l e r tt c pa n y$ P O R T _ E X A M P L E 2>a n ya n y( m s g : " E x a m p l e " ;s i d : 2 ; ) a l e r tt c pa n y9 0>a n y[ 1 0 0 : 1 0 0 0 , 9 9 9 9 : 2 0 0 0 0 ]( m s g : " E x a m p l e " ;s i d : 3 ; )

Several invalid examples of port variables and port lists are demonstrated below: Use of !any:
p o r t v a rE X A M P L E 5! a n y v a rE X A M P L E 5! a n y

Logical contradictions:
p o r t v a rE X A M P L E 6[ 8 0 , ! 8 0 ]

Ports out of range:

p o r t v a rE X A M P L E 7[ 6 5 5 3 6 ]

Incorrect declaration and use of a port variable:

v a rE X A M P L E 88 0 a l e r tt c pa n y$ E X A M P L E 8>a n ya n y( m s g : " E x a m p l e " ;s i d : 4 ; )
manual.snort.org/node16.html 3/18

8/29/13

2.1 Includes

Port variable used as an IP:

a l e r tt c p$ E X A M P L E 1a n y>a n ya n y( m s g : " E x a m p l e " ;s i d : 5 ; )

2.1.2.3 Variable Modifiers

Rule variable names can be modified in several ways. You can define meta-variables using the $ operator. These can be used with the variable modifier operators ?and , as described in the following table: Variable Syntax
v a r $ ( v a r )o r$ v a r $ ( v a r : d e f a u l t )

Description Defines a meta-variable. Replaces with the contents of variable v a r . Replaces the contents of the variable v a rwith ``default'' if v a ris undefined. Replaces with the contents of variable v a ror prints out the error message and exits.

$ ( v a r : ? m e s s a g e )

Here is an example of advanced variable usage in action:

i p v a rM Y _ N E T1 9 2 . 1 6 8 . 1 . 0 / 2 4 l o gt c pa n ya n y>$ ( M Y _ N E T : ? M Y _ N E Ti su n d e f i n e d ! )2 3

2.1.2.4 Limitations
When embedding variables, types can not be mixed. For instance, port variables can be defined in terms of other port variables, but old-style variables (with the 'var' keyword) can not be embedded inside a 'portvar'. Valid embedded variable:
p o r t v a rp v a r 18 0 p o r t v a rp v a r 2[ $ p v a r 1 , 9 0 ]

Invalid embedded variable:

v a rp v a r 18 0 p o r t v a rp v a r 2[ $ p v a r 1 , 9 0 ]

Likewise, variables can not be redefined if they were previously defined as a different type. They should be renamed instead: Invalid redefinition:
v a rp v a r8 0 p o r t v a rp v a r9 0

manual.snort.org/node16.html

4/18

8/29/13

2.1 Includes

2.1.3 Config
Many configuration and command line options of Snort can be specified in the configuration file.

2.1.3.1 Format
c o n f i g< d i r e c t i v e >[ :< v a l u e > ]

Config Directive
c o n f i ga l e r t _ w i t h _ i n t e r f a c e _ n a m e

Description Appends interface name to alert (s n o r t I ). Sets the alerts output file. Specifies the maximum number of nodes to track when doing ASN1 decoding. See Section for more information and examples. If Snort was configured to enable decoder and preprocessor rules, this option will cause Snort to revert back to it's original behavior of alerting if the decoder or preprocessor generates an event. Specifies BPF filters (s n o r tF ). Types of packets to drop if invalid checksums. Values: n o n e ,n o i p ,n o t c p , n o i c m p ,n o u d p ,i p ,t c p ,u d p ,i c m por a l l(only applicable in inline mode and for packets checked per c h e c k s u m _ m o d econfig option). Types of packets to calculate checksums. Values: n o n e ,n o i p ,n o t c p ,n o i c m p , n o u d p ,i p ,t c p ,u d p ,i c m por a l l . Chroots to specified dir (s n o r tt ). See Table for a list of classifications.

c o n f i ga l e r t f i l e :< f i l e n a m e > c o n f i ga s n 1 :< m a x n o d e s >

c o n f i ga u t o g e n e r a t e _ p r e p r o c e s s o r _ d e c o d e r _ r u l e s

c o n f i gb p f _ f i l e :< f i l e n a m e > c o n f i gc h e c k s u m _ d r o p :< t y p e s >

c o n f i gc h e c k s u m _ m o d e :< t y p e s >

c o n f i gc h r o o t :< d i r > c o n f i gc l a s s i f i c a t i o n :< c l a s s > c o n f i gc s _ d i r :< p a t h >

configure snort to provide a Unix socket in the path that can be used to issue commands to the running process. See Section for more details. Forks as a daemon (s n o r tD ). Decodes Layer2 headers (s n o r te ). Global configuration directive to enable or
5/18

c o n f i gd a e m o n c o n f i gd e c o d e _ d a t a _ l i n k c o n f i gd e f a u l t _ r u l e _ s t a t e :< s t a t e >
manual.snort.org/node16.html

8/29/13

2.1 Includes

disable the loading of rules into the detection engine. Default (with or without directive) is enabled. Specify d i s a b l e d to disable loading rules.
c o n f i gd a q :< t y p e >

Selects the type of DAQ to instantiate. The DAQ with the highest version of the given type is selected if there are multiple of the same type (this includes any built-in DAQs). Select the DAQ mode: passive, inline, or read-file. Not all DAQs support modes. See the DAQ distro README for possible DAQ modes or list DAQ capabilities for a brief summary. Set a DAQ specific variable. Snort just passes this information down to the DAQ. See the DAQ distro README for possible DAQ variables. Tell Snort where to look for available dynamic DAQ modules. This can be repeated. The selected DAQ will be the one with the latest version. Tell Snort to dump basic DAQ capabilities and exit. You can optionally specify a directory to include any dynamic DAQs from that directory. You can also preceed this option with extra DAQ directory options to look in multiple directories. Enable or disable the decoding of Encapsulated Security Protocol (ESP). This is disabled by default. Some networks use ESP for authentication without encryption, allowing their content to be inspected. Encrypted ESP may cause some false positives if this option is enabled. Select type of fast pattern matcher algorithm to use.
s e a r c h m e t h o d< m e t h o d >

c o n f i gd a q _ m o d e :< m o d e >

c o n f i gd a q _ v a r :< n a m e = v a l u e >

c o n f i gd a q _ d i r :< d i r >

c o n f i gd a q _ l i s t :[ < d i r > ]

c o n f i gd e c o d e _ e s p :[ e n a b l e| d i s a b l e ]

c o n f i gd e t e c t i o n :[ s e a r c h m e t h o d < m e t h o d > ]

Queued match search methods - Matches are queued until the fast pattern matcher is finished with the
manual.snort.org/node16.html 6/18

8/29/13

2.1 Includes

payload, then evaluated. This was found to generally increase performance through fewer cache misses (evaluating each rule would generally blow away the fast pattern matcher state in the cache). a cand a c q- AhoCorasick Full (high memory, best performance). a c b n f aand a c b n f a q- AhoCorasick Binary NFA (low memory, high performance) l o w m e mand l o w m e m q- Low Memory Keyword Trie (low memory, moderate performance) a c s p l i t- AhoCorasick Full with ANY-ANY port group evaluated separately (low memory, high performance). Note this is shorthand for
s e a r c h m e t h o d a c ,s p l i t a n y a n y

Intel CPM library (must have compiled Snort with location of libraries to enable this) No queue search methods The "nq" option specifies that matches should not be queued and evaluated as they are found. a c n q- AhoCorasick Full (high memory, best performance).
manual.snort.org/node16.html 7/18

i n t e l c p m-

8/29/13

2.1 Includes

AhoCorasick Binary NFA (low memory, high performance). This is the default search method if none is specified. l o w m e m n q- Low Memory Keyword Trie (low memory, moderate performance) Other search methods (the above are considered superior to these) a c s t d- AhoCorasick Standard (high memory, high performance) a c s- Aho-Corasick Sparse (high memory, moderate performance) a c b a n d e d- AhoCorasick Banded (high memory, moderate performance) a c s p a r s e b a n d sAho-Corasick Sparse-Banded (high memory, moderate performance)
c o n f i gd e t e c t i o n :[ s p l i t a n y a n y ] [ s e a r c h o p t i m i z e ][ m a x p a t t e r n l e n < i n t > ]

a c b n f a n q-

Other options that affect fast pattern matching.

s p l i t a n y a n y

A memory/performance tradeoff. By default, ANYANY port rules are added to every non ANY-ANY port group so that only one port group rule evaluation needs to be done per packet. Not putting the ANY-ANY port rule group into every other port group
manual.snort.org/node16.html 8/18

8/29/13

2.1 Includes

can significantly reduce the memory footprint of the fast pattern matchers if there are many ANY-ANY port rules. But doing so may require two port group evaluations per packet - one for the specific port group and one for the ANY-ANY port group, thus potentially reducing performance. This option is generic and can be used with any s e a r c h m e t h o dbut was specifically intended for use with the a c s e a r c h m e t h o dwhere the memory footprint is significantly reduced though overall fast pattern performance is better than a c b n f a . Of note is that the lower memory footprint can also increase performance through fewer cache misses. Default is not to split the ANY-ANY port group.
s e a r c h o p t i m i z e

Optimizes fast pattern memory when used with s e a r c h m e t h o da cor a c s p l i tby dynamically determining the size of a state based on the total number of states. When used with a c b n f a , some fail-state resolution will be attempted, potentially increasing performance. Default is not to optimize.
m a x p a t t e r n l e n< i n t e g e r >

This is a memory optimization that specifies the maximum length of a pattern that will be put in the fast pattern matcher. Patterns longer than this length will be truncated to this length before inserting into the pattern matcher.
manual.snort.org/node16.html 9/18

8/29/13

2.1 Includes

Useful when there are very long contents being used and truncating the pattern won't diminish the uniqueness of the patterns. Note that this may cause more false positive rule evaluations, i.e. rules that will be evaluated because a fast pattern was matched, but eventually fail, however CPU cache can play a part in performance so a smaller memory footprint of the fast pattern matcher can potentially increase performance. Default is to not set a maximum pattern length.
c o n f i gd e t e c t i o n : [ n o _ s t r e a m _ i n s e r t s ] [ m a x _ q u e u e _ e v e n t s< i n t > ][ e n a b l e s i n g l e r u l e g r o u p ][ b l e e d o v e r p o r t l i m i t ]

Other detection engine options.

n o _ s t r e a m _ i n s e r t s

Specifies that stream inserted packets should not be evaluated against the detection engine. This is a potential performance improvement with the idea that the stream rebuilt packet will contain the payload in the inserted one so the stream inserted packet doesn't need to be evaluated. Default is to inspect stream inserts.
m a x _ q u e u e _ e v e n t s< i n t e g e r >

Specifies the maximum number of matching fastpattern states to queue per packet. Default is 5 events.
e n a b l e s i n g l e r u l e g r o u p

Put all rules into one port group. Not recommended. Default is not to do this.
b l e e d o v e r p o r t l i m i t

The maximum number of source or destination ports

manual.snort.org/node16.html 10/18

8/29/13

2.1 Includes

designated in a rule before the rule is considered an ANY-ANY port group rule. Default is 1024.
c o n f i gd e t e c t i o n :[ d e b u g ][ d e b u g p r i n t n o c o n t e n t r u l e t e s t s ] [ d e b u g p r i n t r u l e g r o u p b u i l d d e t a i l s ][ d e b u g p r i n t r u l e g r o u p s u n c o m p i l e d ][ d e b u g p r i n t r u l e g r o u p s c o m p i l e d ][ d e b u g p r i n t f a s t p a t t e r n ][ b l e e d o v e r w a r n i n g s e n a b l e d ]

Options for detection engine debugging.

d e b u g

Prints fast pattern information for a particular port group.

d e b u g p r i n t n o c o n t e n t r u l e t e s t s

Prints port group information during packet evaluation.

d e b u g p r i n t r u l e g r o u p b u i l d d e t a i l s

Prints port group information during port group compilation.

d e b u g p r i n t r u l e g r o u p s u n c o m p i l e d

Prints uncompiled port group information.

d e b u g p r i n t r u l e g r o u p s c o m p i l e d

Prints compiled port group information.

d e b u g p r i n t f a s t p a t t e r n

For each rule with fast pattern content, prints information about the content being used for the fast pattern matcher.
b l e e d o v e r w a r n i n g s e n a b l e d

Prints a warning if the number of source or destination ports used in a rule exceed the
b l e e d o v e r p o r t l i m i t

forcing the rule to be moved into the ANY-ANY port group.

c o n f i gd i s a b l e _ d e c o d e _ a l e r t s

Turns off the alerts generated by the decode phase of Snort. Disables failopen thread that allows inline
11/18

c o n f i g
manual.snort.org/node16.html

8/29/13

2.1 Includes

d i s a b l e _ i n l i n e _ i n i t _ f a i l o p e n

traffic to pass while Snort is starting up. Only useful if Snort was configured with enable-inline-init-failopen. (s n o r td i s a b l e i n l i n e i n i t f a i l o p e n ) Disables IP option length validation alerts. Disables option length validation alerts. Turns off alerts generated by experimental TCP options. Turns off alerts generated by obsolete TCP options. Turns off alerts generated by T/TCP options. Turns off alerts generated by T/TCP options. Turns on character dumps (s n o r tC ). Dumps application layer (s n o r td ). Dumps raw packet starting at link layer (s n o r tX ). Enables the dropping of bad packets identified by decoder (only applicable in inline mode). Enable alerting on packets that have headers containing length fields for which the value is greater than the length of the packet. Enable dropping packets that have headers containing length fields for which the value is greater than the length of the packet.
e n a b l e _ d e c o d e _ o v e r s i z e d _ a l e r t s

c o n f i gd i s a b l e _ i p o p t _ a l e r t s c o n f i gd i s a b l e _ t c p o p t _ a l e r t s c o n f i g d i s a b l e _ t c p o p t _ e x p e r i m e n t a l _ a l e r t s c o n f i g d i s a b l e _ t c p o p t _ o b s o l e t e _ a l e r t s c o n f i gd i s a b l e _ t c p o p t _ t t c p _ a l e r t s

c o n f i gd i s a b l e _ t t c p _ a l e r t s

c o n f i gd u m p _ c h a r s _ o n l y c o n f i gd u m p _ p a y l o a d c o n f i gd u m p _ p a y l o a d _ v e r b o s e

c o n f i ge n a b l e _ d e c o d e _ d r o p s

c o n f i g e n a b l e _ d e c o d e _ o v e r s i z e d _ a l e r t s

c o n f i g e n a b l e _ d e c o d e _ o v e r s i z e d _ d r o p s

must also be enabled for this to be effective (only applicable in inline mode).
c o n f i g e n a b l e _ d e e p _ t e r e d o _ i n s p e c t i o n

Snort's packet decoder only decodes Teredo (IPv6 over UDP over IPv4) traffic on UDP port 3544. This option makes Snort decode Teredo traffic on all UDP ports. Enables the dropping of bad packets with bad/truncated IP options (only applicable in inline mode). Enables support for MPLS multicast. This
12/18

c o n f i ge n a b l e _ i p o p t _ d r o p s

c o n f i ge n a b l e _ m p l s _ m u l t i c a s t
manual.snort.org/node16.html

8/29/13

2.1 Includes

option is needed when the network allows MPLS multicast traffic. When this option is off and MPLS multicast traffic is detected, Snort will generate an alert. By default, it is off.
c o n f i ge n a b l e _ m p l s _ o v e r l a p p i n g _ i p

Enables support for overlapping IP addresses in an MPLS network. In a normal situation, where there are no overlapping IP addresses, this configuration option should not be turned on. However, there could be situations where two private networks share the same IP space and different MPLS labels are used to differentiate traffic from the two VPNs. In such a situation, this configuration option should be turned on. By default, it is off. Enables the dropping of bad packets with bad/truncated TCP option (only applicable in inline mode). Enables the dropping of bad packets with experimental TCP option. (only applicable in inline mode). Enables the dropping of bad packets with obsolete TCP option. (only applicable in inline mode). Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode). Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode). Set global memcap in bytes for thresholding. Default is 1048576 bytes (1 megabyte). Specifies conditions about Snort's event queue. You can use the following options:
m a x _ q u e u e i n t e g e r

c o n f i ge n a b l e _ t c p o p t _ d r o p s

c o n f i g e n a b l e _ t c p o p t _ e x p e r i m e n t a l _ d r o p s

c o n f i g e n a b l e _ t c p o p t _ o b s o l e t e _ d r o p s

c o n f i ge n a b l e _ t c p o p t _ t t c p _ d r o p s

c o n f i ge n a b l e _ t t c p _ d r o p s

c o n f i ge v e n t _ f i l t e r :m e m c a p < b y t e s >

c o n f i ge v e n t _ q u e u e :[ m a x _ q u e u e < n u m > ][ l o g< n u m > ][ o r d e r _ e v e n t s < o r d e r > ]

(max

events supported)
l o g i n t e g e r

(number of

events to log)
manual.snort.org/node16.html 13/18

8/29/13

2.1 Includes

o r d e r _ e v e n t s[ p r i o r i t y c o n t e n t _ l e n g t h ](how to

order

events within the queue) See Section examples.

c o n f i gf l o w b i t s _ s i z e :< n u m b i t s >

for more information and

Specifies the maximum number of flowbit tags that can be used within a rule set. The default is 1024 bits and maximum is 2048. Specifies ports to ignore (useful for ignoring noisy NFS traffic). Specify the protocol (TCP, UDP, IP, or ICMP), followed by a list of ports. Port ranges are supported. Sets the network interface (s n o r ti ). The following options can be used:
b s d _ i c m p _ f r a g _ a l e r to n | o f f

c o n f i gi g n o r e _ p o r t s :< p r o t o > < p o r t l i s t >

c o n f i gi n t e r f a c e :< i f a c e > c o n f i gi p v 6 _ f r a g : [ b s d _ i c m p _ f r a g _ a l e r to n | o f f ][ , b a d _ i p v 6 _ f r a g _ a l e r to n | o f f ][ , f r a g _ t i m e o u t< s e c s > ][ , m a x _ f r a g _ s e s s i o n s< m a x t r a c k > ]

(Specify whether or not to alert. Default is on)

b a d _ i p v 6 _ f r a g _ a l e r to n | o f f

(Specify whether or not to alert. Default is on)

f r a g _ t i m e o u t i n t e g e r

(Specify amount of time in seconds to timeout first frag in hash table)

m a x _ f r a g _ s e s s i o n s i n t e g e r

(Specify the number

of fragments to track in the hash table)

c o n f i gl o g d i r :< d i r > c o n f i gl o g _ i p v 6 _ e x t r a _ d a t a

Sets the logdir (s n o r tl ). Set Snort to log IPv6 source and destination addresses as unified2 extra data events. Sets a limit on the maximum number of hosts to read from the attribute table. Minimum value is 32 and the maximum is 524288 (512k). The default is 10000. If
14/18

c o n f i gm a x _ a t t r i b u t e _ h o s t s : < h o s t s >

manual.snort.org/node16.html

8/29/13

2.1 Includes

the number of hosts in the attribute table exceeds this value, an error is logged and the remainder of the hosts are ignored. This option is only supported with a Host Attribute Table (see section ).
c o n f i g m a x _ a t t r i b u t e _ s e r v i c e s _ p e r _ h o s t : < h o s t s >

Sets a per host limit on the maximum number of services to read from the attribute table. Minimum value is 1 and the maximum is 65535. The default is 100. For a given host, if the number of services in the attribute table exceeds this value, an error is logged and the remainder of the services for that host are ignored. This option is only supported with a Host Attribute Table (see section ). Sets a Snort-wide limit on the number of MPLS headers a packet can have. Its default value is -1, which means that there is no limit on label chain length. Sets a Snort-wide minimum ttl to ignore all traffic. Sets a Snort-wide MPLS payload type. In addition to ipv4, ipv6 and ethernet are also valid options. The default MPLS payload type is ipv4 Disables promiscuous mode (s n o r tp ). Disables logging. Note: Alerts will still occur. (s n o r tN ). Disables pcre pattern matching. Obfuscates IP Addresses (s n o r tO ). Changes the order that rules are evaluated, eg: pass alert log activation. Restricts the amount of backtracking a given PCRE option. For example, it will limit the number of nested repeats within a pattern. A value of -1 allows for unlimited PCRE, up to the PCRE library compiled limit (around 10 million). A value of 0 results in no PCRE evaluation. The snort default value is 1500. Restricts the amount of stack used by a
15/18

c o n f i gm a x _ m p l s _ l a b e l c h a i n _ l e n : < n u m h d r s >

c o n f i gm i n _ t t l :< t t l >

c o n f i gm p l s _ p a y l o a d _ t y p e : i p v 4 | i p v 6 | e t h e r n e t

c o n f i gn o _ p r o m i s c c o n f i gn o l o g

c o n f i gn o p c r e c o n f i go b f u s c a t e c o n f i go r d e r :< o r d e r >

c o n f i gp c r e _ m a t c h _ l i m i t : i n t e g e r

c o n f i gp c r e _ m a t c h _ l i m i t _ r e c u r s i o n :
manual.snort.org/node16.html

8/29/13

2.1 Includes

i n t e g e r

given PCRE option. A value of -1 allows for unlimited PCRE, up to the PCRE library compiled limit (around 10 million). A value of 0 results in no PCRE evaluation. The snort default value is 1500. This option is only useful if the value is less than the
p c r e _ m a t c h _ l i m i t

c o n f i gp k t _ c o u n t :< N > c o n f i gp o l i c y _ v e r s i o n : v e r s i o n s t r i n g v e r s i o n s t r i n g [ ] b a s e -

Exits after N packets (s n o r tn ). Supply versioning information to configuration files. Base version should be a string in all configuration files including included ones. In addition, binding version must be in any file configured with c o n f i gb i n d i n g . This option is used to avoid race conditions when modifying and loading a configuration within a short time span - before Snort has had a chance to load a previous configuration. Print statistics on preprocessor performance. See Section for more details. Print statistics on rule performance. See Section for more details. Disables banner and status reports (s n o r tq ). NOTE: The command line switch qtakes effect immediately after processing the command line parameters, whereas using c o n f i gq u i e tin snort.conf takes effect when the configuration line in snort.conf is parsed. That may occur after other configuration settings that result in output to console or syslog. Adds a new reference system to Snort, eg: myref http://myurl.com/?id= For IP obfuscation, the obfuscated net will be used if the packet contains an IP address in the reference net. Also used to determine how to set up the logging directory structure for the s e s s i o npost detection rule option and ASCII output plugin - an attempt is made to name the log directories after the IP address that is
16/18

b i n d i n g -

c o n f i gp r o f i l e _ p r e p r o c s

c o n f i gp r o f i l e _ r u l e s

c o n f i gq u i e t

c o n f i gr e f e r e n c e :< r e f >

c o n f i gr e f e r e n c e _ n e t< c i d r >

manual.snort.org/node16.html

8/29/13

2.1 Includes

not in the reference net.

c o n f i gr e s p o n s e :[ a t t e m p t s < c o u n t > ][ ,d e v i c e< d e v > ]

Set the number of strafing attempts per injected response and/or the device, such as eth0, from which to send responses. These options may appear in any order but must be comma separated. The are intended for passive mode. Changes GID to specified GID (s n o r tg ). Sets UID to id (s n o r tu ).

c o n f i gs e t _ g i d :< g i d >

c o n f i gs e t _ u i d :< u i d > c o n f i gs h o w _ y e a r c o n f i gs n a p l e n :< b y t e s >

Shows year in timestamps (s n o r ty ). Set the snaplength of packet, same effect as P s n a p l e n or s n a p l e n

s n a p l e n

options.

c o n f i gs o _ r u l e _ m e m c a p :< b y t e s >

Set global memcap in bytes for so rules that dynamically allocate memory for storing session data in the stream preprocessor. A value of 0 disables the memcap. Default is 0. Maximum value is the maximum value an unsigned 32 bit integer can hold which is 4294967295 or 4GB. Sets assurance mode for stream (stream is established). When a metric other than p a c k e t sis used in a tag option in a rule, this option sets the maximum number of packets to be tagged regardless of the amount defined by the other metric. See Section on using the tag option when writing rules for more details. The default value when this option is not configured is 256 packets. Setting this option to a value of 0 will disable the packet limit. Set global memcap in bytes for thresholding. Default is 1048576 bytes (1 megabyte). (This is deprecated. Use config event_filter instead.) Sets umask when running (s n o r tm ). Uses UTC instead of local time for timestamps (s n o r tU ).
17/18

c o n f i gs t a t e f u l

c o n f i gt a g g e d _ p a c k e t _ l i m i t :< m a x t a g >

c o n f i gt h r e s h o l d :m e m c a p< b y t e s >

c o n f i gu m a s k :< u m a s k > c o n f i gu t c

manual.snort.org/node16.html

8/29/13

2.1 Includes

c o n f i gv e r b o s e

Uses verbose logging to STDOUT (s n o r tv ). Causes Snort to ignore vlan headers for the purposes of connection and frag tracking. This option is only valid in the base configuration when using multiple configurations, and the default is off. Causes Snort to ignore DAQ address space ID for the purposes of connection and frag tracking. This option is only valid in the base configuration when using multiple configurations, and the default is off. Sets the policy mode to either p a s s i v e , i n l i n eor i n l i n e _ t e s t . By default, whitelist and blacklist verdicts are handled internally by Snort for GTP, Teredo, 6in4 and 4in6 encapsulated traffic. This means Snort actually gives the DAQ a pass or block verdict instead. This is to workaround cases where the DAQ would apply the verdict to the whole tunnel instead of the individual session within the tunnel. If your DAQ decodes GTP, Teredo, 6in4 or 4in6 correctly, setting this config will allow the whitelist or blacklist verdict to go to the DAQ. There is a modest performance boost by doing this where possible since Snort won't see the remaining packets on the session.

c o n f i gv l a n _ a g n o s t i c

c o n f i ga d d r e s s _ s p a c e _ a g n o s t i c

c o n f i gp o l i c y _ m o d e : t a p | i n l i n e | i n l i n e _ t e s t c o n f i gt u n n e l _ v e r d i c t s : g t p | t e r e d o | 6 i n 4 | 4 i n 6

Next: 2.2 Preprocessors Up: 2. Configuring Snort Previous: 2. Configuring Snort Contents

manual.snort.org/node16.html

18/18