# # This is not an exhaustive list of configuration items, just those that # require more explanation than is given in the tables that define them, below. # # https://openwrt.org/docs/guide-user/services/snort # # snort # manual - When set to 1, use manual configuration for legacy behavior. # When disabled, then use this config. # interface - Default should usually be 'uci get network.wan.device', # something like 'eth0' # home_net - IP range/ranges to protect. May be 'any', but more likely it's # your lan range, default is '192.168.1.0/24' # external_net - IP range external to home. Usually 'any', but if you only # care about true external hosts (trusting all lan devices), # then '!$HOME_NET' or some specific range # mode - 'ids' or 'ips', for detection-only or prevention, respectively # oinkcode - https://www.snort.org/oinkcodes # config_dir - Location of the base snort configuration files. Default /etc/snort # temp_dir - Location of all transient snort config, including downloaded rules # Default /var/snort.d # logging - Enable external logging of events thus enabling 'snort-mgr report', # otherwise events only go to system log (i.e., 'logread -e snort:') # log_dir - Location of the generated logs, and oh-by-the-way the snort # PID file (why?). Default /var/log # openappid - Enabled inspection using the 'openappid' package # See 'opkg info openappid' # action - 'alert', 'block', 'reject' or 'drop' # method - 'pcap', 'afpacket' or 'nfq' # snaplen - int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 } # include - User-defined snort configuration, applied at end of generated snort.lua # # nfq - https://github.com/snort3/libdaq/blob/master/modules/nfq/README.nfq.md # queue_maxlen - nfq's '--daq-var queue_maxlen=int' # queue_count - Count of queues to use when method=nfq, usually 2-8 # fanout_type - Sets kernel load balancing algorithm*, one of hash, lb, cpu, # rollover, rnd, qm. # thread_count - int snort.-z: maximum number of packet threads # (same as --max-packet-threads); 0 gets the number of # CPU cores reported by the system; default is 1 { 0:max32 } # chain_type - Chain type when generating nft output # chain_priority - Chain priority when generating nft output # include - Full path to user-defined extra rules to include inside queue chain # # * - for details on fanout_type, see these pages: # https://github.com/florincoras/daq/blob/master/README # https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt # config snort 'snort' option enabled '0' # one of [0, 1] option manual '1' # one of [0, 1] option oinkcode '' # a string option home_net '192.168.1.0/24' # a string option external_net 'any' # a string option config_dir '/etc/snort' # a path string option temp_dir '/var/snort.d' # a path string option log_dir '/var/log' # a path string option logging '1' # one of [0, 1] option openappid '0' # one of [0, 1] option mode 'ids' # one of [ids, ips] option method 'pcap' # one of [pcap, afpacket, nfq] option action 'alert' # one of [alert, block, drop, reject] option interface 'eth0' # a string option snaplen '1518' # 1518 <= x <= 65535 option include '' # a path string config nfq 'nfq' option queue_count '4' # 1 <= x <= 16 option queue_start '4' # 1 <= x <= 32768 option queue_maxlen '1024' # 1024 <= x <= 65536 option fanout_type 'hash' # one of [hash, lb, cpu, rollover, rnd, qm] option thread_count '0' # 0 <= x <= 32 option chain_type 'input' # one of [prerouting, input, forward, output, postrouting] option chain_priority 'filter' # one of [raw, filter, 300] option include '' # a path string