52
edits
Snort: Difference between revisions
Jump to navigation
Jump to search
mention snort config
(add mem config) |
(mention snort config) |
||
| Line 15: | Line 15: | ||
=== Configuring Snort === | === Configuring Snort === | ||
{{Warning|title=Beta Feature|Currently there is no proper way to inspect Snort's error output, so invalid configs may result in the Snort analysis seemingly crashing for no reason. At the moment we recommend testing the validity of the configuration with a local Snort installation.}} | |||
==== Config==== | |||
Snort can be configured via Lua scripts which are executed in a sandboxed environment at startup. The multimeter is delivered with the default configuration files of Snort, with the exception that some of the variables have been moved to a new <code>config.lua</code> file. This file is included before everything else. | |||
To learn more about how Snort configuration works, refer to [https://docs.snort.org/start/configuration their documentation]. | |||
In order to edit this configuration the multimeter provides a web-based interface to either change the <code>config.lua</code> via a GUI, or to edit any configuration file directly. To start editing the configuration click the "Edit config" button. This opens a new modal providing the two editing modes, which can be switched via the buttons at the top center of the window. | |||
==== | =====Simple editor===== | ||
Snort can be | This is the first editing mode, and is the one selected by default when opening the config modal. It provides a GUI which allows the user to edit the variables stored in the <code>config.lua</code>. Note that this implies that <code>config.lua</code> is a managed file, which means that directly editing this file is discouraged. As the warning in this file states, editing the values of variables will work fine, however adding new content to the file will cause it to be overridden once the simple editor is used for the next time. | ||
[[File:Snort config simple settings.png|thumb|The Snort config's simple editor]] | |||
The simple editor provides only a few values that can be edited. Users are encouraged to adjust these values according to their network setup. Setting the home and external network is the only strictly necessary configuration, as the other values are derived from them. The default values for these networks is "any". Refer to the Snort documentation (see above) to find out which values are allowed. Values with a dollar sign ($) in front of them are variables, e.g. setting your DNS servers to <code>$HOME_NET</code> will set the vaule of the DNS servers field to the value of the Home network field. This is the default. | |||
Modifications to these values are not committed until either the "Apply" or "Save" button are pressed. Saving the settings will close the modal, while applying them will commit the changes but keep the modal open. Cancelling will cause all unsaved changes to be discarded (a warning modal will ask for confirmation before discarding). | |||
=====Lua editor===== | |||
This is the "advanced" configuration mode for Snort, and is toggled by clicking the appropriate button at the center top of the modal.[[File:Snort configuration lua mode.png|thumb|The Snort config's lua editor]] | |||
This view provides a text editor interface which allows for editing any of the Snort configuration files. The left hand side provides a file browser displaying all files in Snort's configuration folder. This does not necessarily mean that all of these files are used in the configuration. Only files included by an active configuration file are used. The analysis invokes Snort with <code>snort.lua</code> as the config file, so any other config files need to be included either by <code>snort.lua</code>, or one of its included files. | |||
'''While the <code>config.lua</code> is displayed in this list, it is discouraged to edit it directly.''' | |||
It is possible to create new files via the button at the bottom of the file list. Hovering over a file reveals two buttons for deleting a file and reloading a file. Deleting a file will mark it for deletion, but that change will not be committed until "Save" or "Apply" are pressed. Reloading a file causes it to be re-fetched from the multimeter and discards all changes to that file. A file can be renamed by selecting it and pressing F2. | |||