0c1425f8fe
* Use Boolean true for enable inline mode which is more intuitive that older ''
* Add skeleton section for openappid since it has been merged[1]
1. 2d4e7d5fd3
Signed-off-by: John Audia <therealgraysky@proton.me>
59 lines
1.2 KiB
Lua
59 lines
1.2 KiB
Lua
-- use ths file to customize any functions defined in /etc/snort/snort.lua
|
|
|
|
-- switch tap to inline in ips and uncomment the below to run snort in inline mode
|
|
--snort = {}
|
|
--snort["-Q"] = true
|
|
|
|
ips = {
|
|
mode = tap,
|
|
-- mode = inline,
|
|
variables = default_variables,
|
|
-- uncomment and change the below to reflect rules or symlinks to rules on your filesystem
|
|
-- include = RULE_PATH .. '/snort.rules',
|
|
}
|
|
|
|
daq = {
|
|
module_dirs = {
|
|
'/usr/lib/daq',
|
|
},
|
|
modules = {
|
|
{
|
|
name = 'afpacket',
|
|
mode = 'inline',
|
|
}
|
|
}
|
|
}
|
|
|
|
alert_syslog = {
|
|
level = 'info',
|
|
}
|
|
|
|
-- To log to a file, uncomment the below and manually create the dir defined in output.logdir
|
|
--output.logdir = '/var/log/snort'
|
|
--alert_fast = {
|
|
-- file = true,
|
|
-- packet = false,
|
|
--}
|
|
|
|
normalizer = {
|
|
tcp = {
|
|
ips = true,
|
|
}
|
|
}
|
|
|
|
file_policy = {
|
|
enable_type = true,
|
|
enable_signature = true,
|
|
rules = {
|
|
use = {
|
|
verdict = 'log', enable_file_type = true, enable_file_signature = true
|
|
}
|
|
}
|
|
}
|
|
|
|
-- To use openappid with snort, install the openappid package and uncomment the below
|
|
--appid = {
|
|
-- app_detector_dir = '/usr/lib/openappid',
|
|
-- log_stats = true,
|
|
-- app_stats_period = 60,
|
|
--}
|