[Snort-devel] The $<inetname>_ADDRESS variable

Martin Roesch roesch at ...48...
Sat Oct 7 00:17:30 EDT 2000


Michael Davis wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > Good idea, making it easier on first timers is a great thought.
> > There are getting to be enough options in Snort now that it can be
> > fairly daunting to get up and running.
> 
> Has anyone thought of a configuration file instead of command line
> arguments?

Yes. :)

> > file, but a full configuration file.  We're to the point now where
> > that's pretty true. :)
> 
> Wow, I guess someone did!  Any more work being actively done on this?
> If not I can whip something up to parse a file for key=value and
> ignore lines that start with #. Or even moving to longoptions instead
> of short ones. We might run out of letters soon :)

I've been thinking of trying out Mike Borella's genparse program to help
generate new command line parsing code for Snort.  Check it out at
http://www.borella.net.  It can generate both regular and long options for any
C program.

If we make something where we do full run-time options parsing (aka the
command line) inside the rules/config file, we're going to have to add some
things:

1) Snort will have to try to open a default config file at startup.  I'd
suggest that it look for snort.conf.

2) We need to define a new keyword in the conf file.  I'll suggest that we
name it "config".  So, it'd look something like this:

config verbose
config dump_data
config alert: fast
config log: tcpdump
config logdir: /var/log/snort
etc...

If you want to make it happen, feel free to go for it.  Other pieces of
functionality:

* Retain backwards compatability with old command line options
* Collisions between command line and config file args go with whatever the
command line says

One of these days, we also need to fix the whole parsing system so that it has
better error checking and improved parsing capabilities (i.e. multi-line
capability, etc)

     -Marty

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org



More information about the Snort-devel mailing list