Snort configuration -- snort.conf file
This portion of Snort Report helps channel professionals understand the snort.conf file.
In the first Snort Report we created a "configuration file" called snortconf.test that contained a single ICMP rule. Invoking that configuration file via the -c switch put Snort in intrusion detection mode. In production, Snort packages a snort.conf configuration file in the etc/ directory. This directory will not appear in the /usr/local/snort-2.6.1.2/ directory, but it will be in the /usr/local/src/snort-2.6.1.2/etc/ directory. The snort.conf file is the place where a variety of configuration options can be set, and it is the preferred place to control Snort's operation.
Here I will start with a blank configuration file, called snort-2.6.1.2.20dec06a.conf, and add values as I describe their function. In this article I address only those functions enabled by default in snort.conf. I'll address the functions disabled by default in future articles.
Snort: Understanding the configuration file
Introduction: Upgrade to Snort 2.6.1.2
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.
