Snort configuration -- snort.conf file

This portion of Snort Report helps channel professionals understand the snort.conf file.

In the first Snort Report we created a "configuration file" called snortconf.test that contained a single ICMP rule. Invoking that configuration file via the -c switch put Snort in intrusion detection mode. In production, Snort packages a snort.conf configuration file in the etc/ directory. This directory will not appear in the /usr/local/snort- directory, but it will be in the /usr/local/src/snort- directory. The snort.conf file is the place where a variety of configuration options can be set, and it is the preferred place to control Snort's operation.

Here I will start with a blank configuration file, called snort-, and add values as I describe their function. In this article I address only those functions enabled by default in snort.conf. I'll address the functions disabled by default in future articles.

Snort: Understanding the configuration file

 Introduction: Upgrade to Snort
 The snort.conf file
 Defining IP ranges of interest
 Defining ports of interest
 Core preprocessors
 Non-dynamic preprocessors

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

Dig Deeper on MSP technology services

Cloud Computing
Data Management
Business Analytics