1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
-- This file is no longer used if you are using 'snort-mgr' to create the
-- configuration. It is left as a sample.
--
-- use ths file to customize any functions defined in /etc/snort/snort.lua
-- switch tap to inline in ips and uncomment the below to run snort in inline mode
--snort = {}
--snort["-Q"] = true
ips = {
mode = tap,
-- mode = inline,
variables = default_variables,
-- uncomment and change the below to reflect rules or symlinks to rules on your filesystem
-- include = RULE_PATH .. '/snort.rules',
}
daq = {
module_dirs = {
'/usr/lib/daq',
},
modules = {
{
name = 'afpacket',
mode = 'inline',
}
}
}
alert_syslog = {
level = 'info',
}
-- To log to a file, uncomment the below and manually create the dir defined in output.logdir
--output.logdir = '/var/log/snort'
--alert_fast = {
-- file = true,
-- packet = false,
--}
normalizer = {
tcp = {
ips = true,
}
}
file_policy = {
enable_type = true,
enable_signature = true,
rules = {
use = {
verdict = 'log', enable_file_type = true, enable_file_signature = true
}
}
}
-- To use openappid with snort, install the openappid package and uncomment the below
--appid = {
-- app_detector_dir = '/usr/lib/openappid',
-- log_stats = true,
-- app_stats_period = 60,
--}
|