In Chapter 3, we took a (very) quick look at running Snort in alert mode (NIDS mode). When you changed the line in the snort.conf file that specified what path contained the rule files, you probably noticed that it is not a small file. There are a lot of settings in it and a newer version of Snort may include changes that can confuse even experts.
The snort.conf file controls everything about what Snort watches, how it defends itself from attack, what rules it uses to find malicious traffic, and even how it watches for potentially dangerous traffic that isn’t defined by a signature. A thorough understanding of what is in this file and how to configure it is essential to a successful deployment of Snort as an IDS in your environment.
Take your time with this chapter. It might be useful to have the file in front of you—either on your computer or printed out. Make a copy of the default snort.conf file (found in the same directory you untared the rules in) so that you can go back to the default settings if you make a mistake or just want to start over. It is important to know that the settings in this file change as Snort changes—new features will be developed that need to be configured. If you move to a different version of Snort, examine the new snort.conf to make sure things haven’t drastically changed.
Several of the options have suggested configurations that should work in most environments. The configurations attempt to reasonably compromise on sensitivity, ...