Next Previous Contents

6. Setting Up Snort

6.1 Starting Snort

The Snort IDS is available on the Sentry Firewall CD. This allows a Sentry Firewall system to act as an IDS sensor, and either store log data on a local hard drive, or send it to a remote log/mysql server. With the updates to version 1.5.0-rc4, snort is started in a chroot jail in the "/var/chroot/snort" directory. This provides an added layer of protection against a compromise of the running snort process.

Snort is started via the /etc/rc.d/rc.snort file in the SENTRYCD(slackware) branch, and via /etc/init.d/snort in the SENTRYCD-{DEB,RH} branches. Please take a look at this file if you wish to customize the options passed to snort at runtime. By default, log data is kept in tcpdump format, and is stored in the "/var/chroot/snort/var/log/SNORT" directory - "/var/log/SNORT" is a symlink to this directory.

6.2 Customizing Snort Rules

Snort rules are kept in the "/etc/snort" directory. The snort rules are basically the signatures and rules snort uses to match against IP traffic and create logs, alerts, etc. These files are kept current in each release with those available at For many setups, however, it will likely be necessary to add/remove/customize the snort rules. To do so, simply edit the file(s) you need to change and place them on a floppy or a remote server, and then use the "=" copy directive in your sentry.conf file to replace each file you altered. For example:

  /etc/snort/exploit.rules = /floppy/snort/exploit.rules
  /etc/snort/exploit.rules = scp://

6.3 The snort.conf File

The snort.conf file is used as the primary configuration file for snort. Again, in many setups it will likely be necessary to customize this file for your network. Once you have tuned the file to suit your environment you can place this file on a floppy or on a remote server and use the 'snort.conf' configuration directive in your sentry.conf file to declare its location.

Please visit and read the Snort Documentation for more information on configuring and using snort on your network(s).

Next Previous Contents