1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185
|
Template: snort-pgsql/startup
Type: select
_Choices: boot, dialup, manual
Default: boot
_Description: When should Snort be started?
Snort can be started during boot, when connecting to the net with pppd or
only when you manually start it via /usr/sbin/snort.
Template: snort-pgsql/interface
Type: string
Default: eth0
_Description: On which interface(s) should Snort listen?
Please enter the name(s) of the interface(s) which Snort should listen on.
The names of the available interfaces are provided by either running
'ip link show' of 'ifconfig'.
This value usually is 'eth0', but you might want to vary this depending
on your environment, if you are using a dialup connection 'ppp0' might
be more appropiate.
.
Notice that Snort is usually configured to inspect all traffic coming
from the Internet, so the interface you add here is usually the same the
'default route' is on. You can determine which interface is used
for this running either '/sbin/ip ro sh' or '/sbin/route -n' (look for
'default' or '0.0.0.0').
.
It is also not uncommon to run Snort on an interface with no IP
and configured in promiscuous mode, if this is your case, select the
interface in this system that is physically connected to the network
you want to inspect, enable promiscuous mode later on and make sure
that the network traffic is sent to this interface (either connected
to a 'port mirroring/spanning' port in a switch, to a hub or to a tap)
.
You can configure multiple interfaces here, just by adding more than
one interface name separated by spaces. Each interface can have its
specific configuration.
Template: snort-pgsql/address_range
Type: string
Default: 192.168.0.0/16
_Description: Please enter the address range that Snort will listen on.
You have to use CIDR form, i.e. 192.168.1.0/24 for a block of 256 IPs or
192.168.1.42/32 for just one. Specify multiple addresses on a single line
separated by ',' (comma characters), no spaces allowed!
.
If you want you can specify 'any', to not trust any side of the network.
.
Notice that if you are using multiple interfaces this definition will
be used as the HOME_NET definition of all of them.
Template: snort-pgsql/disable_promiscuous
Type: boolean
Default: false
_Description: Should Snort disable promiscuous mode on the interface?
Disabling promiscuous mode means that Snort will only see packets
addressed to it's own interface. Enabling it allows Snort to check
every packet that passes ethernet segment even if it's a connection
between two other computers.
.
Disable promiscuous mode if you are configuring Snort on an interface
without a configured IP address.
Template: snort-pgsql/reverse_order
Type: boolean
Default: false
_Description: Should Snort's rules testing order be changed to Pass|Alert|Log?
If you change Snort's rules testing order to Pass|Alert|Log, they will be
applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log.
This will prevent people from having to make huge Berky Packet Filter
command line arguments to filter their alert rules.
Template: snort-pgsql/send_stats
Type: boolean
Default: true
_Description: Should daily summaries be sent by e-mail?
This Snort installation provides a cron job that runs daily and
summarises the information of Snort logs to a selected email address.
If you want to disable this feature say 'no' here.
Template: snort-pgsql/stats_rcpt
Type: string
Default: root
_Description: Who should receive the daily statistics mails?
A cron job running daily will summarise the information of the logs
generated by Snort using a script called 'snort-stat'. Introduce
here the recipient of these mails. The default value is the system
administrator. If you keep this value, make sure that the mail of
the administrator is redirected to a user that actually reads those
mails.
Template: snort-pgsql/options
Type: string
_Description: If you want to specify custom options to Snort, please specify them here.
Template: snort-pgsql/stats_treshold
Type: string
Default: 1
_Description: An alert needs to appear more times than this number to be included in the daily statistics.
Template: snort-pgsql/config_parameters
Type: note
_Description: This system uses an obsolete configuration file
Your system has an obsolete configuration file
(/etc/snort/snort.common.parameters)
which has been automatically converted into the new configuration
file format (at /etc/default/snort). Please review the new configuration
and remove the obsolete one. Until you do this, the init.d script
will not use the new configuration and you will not take advantage
of the benefits introduced in newer releases.
Template: snort-pgsql/configure_db
Type: boolean
Default: true
_Description: Do you want to set up a database for snort-pgsql to log to?
You only need to do this the first time you install snort-pgsql. Before
you go on, make sure you have (1) the hostname of a machine running a
pgsql server set up to allow tcp connections from this host, (2) a
database on that server, (3) a username and password to access the
database. If you don't have _all_ of these, either select 'no' and run
with regular file logging support, or fix this first. You can always
configure database logging later, by reconfiguring the snort-pgsql
package with 'dpkg-reconfigure -plow snort-pgsql'
Template: snort-pgsql/needs_db_config
Type: note
_Description: Snort needs a configured database to log to before it starts.
Snort needs a configured database before it can successfully start up.
In order to create the structure you need to run the following commands
AFTER the package is installed:
cd /usr/share/doc/snort-pgsql/
zcat create_postgresql.gz | psql -U <user> -h <host> -W <databasename>
Fill in the correct values for the user, host, and database names.
PostgreSQL will prompt you for the password.
.
After you created the database structure, you will need to start Snort
manually.
Template: snort-pgsql/db_host
Type: string
_Description: Please enter the hostname of the pgsql database server to use.
Make sure it has been set up correctly to allow incoming connections from
this host!
Template: snort-pgsql/db_database
Type: string
_Description: Please enter the name of the database to use.
Make sure this database has been created and your database user has write
access to this database.
Template: snort-pgsql/db_user
Type: string
_Description: Please enter the name of the database user you want to use.
Make sure this user has been created and has write access.
Template: snort-pgsql/db_pass
Type: password
_Description: Please enter the password for the database connection.
Please enter a password to connect to the Snort Alert database.
Template: snort-pgsql/please_restart_manually
Type: note
_Description: You are running Snort manually.
Please restart Snort using:
/etc/init.d/snort start
to let the settings take effect.
Template: snort-pgsql/config_error
Type: note
_Description: There is an error in your configuration
Your Snort configuration is not correct and Snort will not be able to start
up normally. Please review your configuration and fix it. If you do not
do this, Snort package upgrades will probably break. To check which error
is being generated run '/usr/sbin/snort -T -c /etc/snort/snort.conf'
(or point to an alternate configuration file if you are using different
files for different interfaces)
Template: snort-pgsql/config_parameters
Type: note
_Description: This system uses an obsolete configuration file
Your system has an obsolete configuration file
(/etc/snort/snort.common.parameters)
which has been automatically converted into the new configuration
file format (at /etc/default/snort). Please review the new configuration
and remove the obsolete one. Until you do this, the init.d script
will not use the new configuration and you will not take advantage
of the benefits introduced in newer releases.
|