Snort mailing list archives
Re: config files
From: Russ via Snort-devel <snort-devel () lists snort org>
Date: Sat, 24 Jun 2017 11:01:49 -0400
On 6/23/17 10:08 PM, Skip Carter wrote:
snort.lua is your main configuration file. The default snort.lua is intentionally lean so that you can very easily see what is going on.I have a practical question about the lua config files: What is the philosophy about what belongs in snort_defaults.lua vs snort_config.lua vs snort.lua ? They are 3 different files for some reason.
snort_defaults.lua is included in snort.lua to provide all the external defaults. In particular, all lists are provided there. The gtp defaults, for example, span nearly 500 lines in snort_defaults.lua, and can be used with just one line in snort.lua like this:
gtp_inspect = default_gtp
That is much easier to work with. Note that simple types like integers
and bools have internal defaults. They can used like this:
sip = { }
snort_config.lua is actually a library file that defines scripts used to
load the configuration from Lua into C++. That is a "set and forget"
loaded with this line:
require('snort_config')
You need that line in your top-level config files such as snort.lua.
Beyond that, you can use any file arrangement you like, from putting
everything into one file to putting everything into separate files.
There is no right or wrong way as long as it does what you want. The
packaged snort.lua and snort_defaults.lua are one example that should
make it easy for most folks to get started. In most cases, you should
only need to tweak snort.lua.
Maybe. Some things are only command line options though. You can check the available configuration options withThe command line is getting awfully busy, cant I put a lot of that in one of the lua scripts ?
snort --help-config
to see what can go in a Lua file. However, it is not uncommon to have
complex Snort commands which are managed with bash scripts or whatever.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- config files Skip Carter (Jun 23)
- Re: config files Russ via Snort-devel (Jun 24)