1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
#
# This is not an exhaustive list of configuration items, just those that
# require more explanation than is given in the tables that define them, below.
#
# https://openwrt.org/docs/guide-user/services/snort
#
# snort
# manual - When set to 1, use manual configuration for legacy behavior.
# When disabled, then use this config.
# interface - Default should usually be 'uci get network.wan.device',
# something like 'eth0'
# home_net - IP range/ranges to protect. May be 'any', but more likely it's
# your lan range, default is '192.168.1.0/24'
# external_net - IP range external to home. Usually 'any', but if you only
# care about true external hosts (trusting all lan devices),
# then '!$HOME_NET' or some specific range
# mode - 'ids' or 'ips', for detection-only or prevention, respectively
# oinkcode - https://www.snort.org/oinkcodes
# config_dir - Location of the base snort configuration files. Default /etc/snort
# temp_dir - Location of all transient snort config, including downloaded rules
# Default /var/snort.d
# logging - Enable external logging of events thus enabling 'snort-mgr report',
# otherwise events only go to system log (i.e., 'logread -e snort:')
# log_dir - Location of the generated logs, and oh-by-the-way the snort
# PID file (why?). Default /var/log
# openappid - Enabled inspection using the 'openappid' package
# See 'opkg info openappid'
# action - 'alert', 'block', 'reject' or 'drop'
# method - 'pcap', 'afpacket' or 'nfq'
# snaplen - int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 }
# include - User-defined snort configuration, applied at end of generated snort.lua
#
# nfq - https://github.com/snort3/libdaq/blob/master/modules/nfq/README.nfq.md
# queue_maxlen - nfq's '--daq-var queue_maxlen=int'
# queue_count - Count of queues to use when method=nfq, usually 2-8
# fanout_type - Sets kernel load balancing algorithm*, one of hash, lb, cpu,
# rollover, rnd, qm.
# thread_count - int snort.-z: <count> maximum number of packet threads
# (same as --max-packet-threads); 0 gets the number of
# CPU cores reported by the system; default is 1 { 0:max32 }
# chain_type - Chain type when generating nft output
# chain_priority - Chain priority when generating nft output
# include - Full path to user-defined extra rules to include inside queue chain
#
# * - for details on fanout_type, see these pages:
# https://github.com/florincoras/daq/blob/master/README
# https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt
#
config snort 'snort'
option enabled '0' # one of [0, 1]
option manual '1' # one of [0, 1]
option oinkcode '' # a string
option home_net '192.168.1.0/24' # a string
option external_net 'any' # a string
option config_dir '/etc/snort' # a path string
option temp_dir '/var/snort.d' # a path string
option log_dir '/var/log' # a path string
option logging '1' # one of [0, 1]
option openappid '0' # one of [0, 1]
option mode 'ids' # one of [ids, ips]
option method 'pcap' # one of [pcap, afpacket, nfq]
option action 'alert' # one of [alert, block, drop, reject]
option interface 'eth0' # a string
option snaplen '1518' # 1518 <= x <= 65535
option include '' # a path string
config nfq 'nfq'
option queue_count '4' # 1 <= x <= 16
option queue_start '4' # 1 <= x <= 32768
option queue_maxlen '1024' # 1024 <= x <= 65536
option fanout_type 'hash' # one of [hash, lb, cpu, rollover, rnd, qm]
option thread_count '0' # 0 <= x <= 32
option chain_type 'input' # one of [prerouting, input, forward, output, postrouting]
option chain_priority 'filter' # one of [raw, filter, 300]
option include '' # a path string
|