servsock.conf − Configuration file for servsock


The file servsock.conf is read by servsock for configuration parameters. This configuration file is searched in the installation configuration directory and is read in on startup.

The entries are separated by colons or equal sign:

keyword: value

keyword= value

All line entries after the # sign are treated as a comment and were ignored. If this sign is required you can escape it with a backslash (\):

keyword: va\#lue # comment

If the first and last character of value are a quote or double quote these characters are stripped and all between is used. This is useful for either empty values or values with white spaces:

´spa ce´ = "spa ce" = spa ce

The keywords are case insensitive.

Some of the parameters can be changed during run time. See servsock(8) for details.


DBuser: name

Specifies the name of the database user who is allowed to do INSERTs and UPDATEs of tables. The default is snort.

DBpassword: password

Specifies the password used among with the DBuser name to connect to the database. Note: An empty password has be noted as ´´ or "", which is the default.

DBname: name

Name of database where servsock should insert the alerts, defaults to snort.

DBtype: name

Type of database to use. Actually only MySQL and Postgres are supported and have to be enabled at compile time of servsock. No default is set since it is not clear which database support was enabled at compile time of servsock.

DBencoding: type

Defines the encoding scheme for the payload in the database. Allowed values are hex, base64 and ascii. The base64 encoding requires less memory but then you are no longer able to search the payload easily for a keyword. The ascii only stores ascii characters to the database, all binary data is replaced by a dot. So the only really useful one is the hex scheme which is the default.

DBTrust: value

A non−zero value enables the trust modus for the database. If this modus is enabled it is assumed that all possible signatures are already part of the database. This will result in faster INSERTs since less SELECT statements are needed. It is safe to enable this even if you are not sure.

DBTrans: value

A non−zero value enables the use of transactions together with the database. If you use the MySQL database you have to use tables of type InnoDB, otherwise the transactions are simply ignored.

PIDFile: <PIDFile>

Specifies which file should be used to store the pid. This file must be writeable by the user running servsock!

SocketName: name

This specifies where to find the unix socket of the database. If the word NULL (all capital!) is given, the database libraries find the socket by their own mechanism. This is useful in combination with the PostgreSQL database. A TCP connection to the database will be created if name is of the form hostname:port.

FullPayload: value

If value is positive then it will be tried to store additional information in the database so that a pcap file can be rebuild. Therefore you need an extended database scheme (see README.payload).

Reference: value

If value is positive then it will be tried to store additional information in the database so that a pcap containing all related tagged packets file can be rebuild. With a value of 2 an offset of last_cid+1 is added to each event_reference to get a unique id for all tagged packets of the same session. Therefore you need an extended database scheme (see README.payload).

ServerName: name

Defines on which address/interface servsock should listen on. Possible values for name are either full qualified names (not very useful) or a dotted IP address. The default is, listen on all interfaces.

ServerPort: value

Defines the port where servsock should listen on. The default is port 1234.

AlarmDelay: value

Write every value seconds statistics of received, sent and dropped alerts. In braces the difference to the last output is printed.

Syslog: value

if the value is non−zero then the statistics are logged via syslog and not printed to stdout. The facility is LOCAL0 and the level is INFO.

FQNSensor: value

With a value=0 the IP address of the sensor is used as sensor name in conjunction with the database. This option is now obsolete and is ignored, the sensor provides its name which must not relate to a DNS name.

AlertSocket: name

Name of the unix socket where alerts with high priority are written to. If name is "NULL" then alerting is disabled.

UnixPriority: value

The value determines the minimum priority where alerts are additionally written to the AlertSocket. If this value is negative then the absolute value is taken and the order is reversed. Then the lowest number is interpreted as the highest priority.

DropSocket: name

Name of the unix socket where alerts are dropped to if the number of queued alerts reaches the highwater mark. If name is "NULL" then dropping is disabled.

DropQuiet: value

If value is not zero then all dropped alerts are not written to the DropSocket. Note: Dropping is still active!

HighWater: value

If the number of queued alerts reaches this value then servsock begins to drop alerts to the DropSocket.

LowWater: value

This value must be smaller than he HighWater value. If the HighWater mark is reached so many alerts are dropped to the DropSocket until this LowWater value is reached.

DaemonMode: value

A non−zero value enables the daemon mode, the program starts into the background. This automatically activates the Syslog option

Umask: mode

Sets the umask to mode for the daemon mode. This affects the mode for the created pid file. The mode can be either given in ascii, octal (with leading 0) or hex (with leading 0x).

DaemonDir: dir

Sets the working directory in daemon mode to dir. The default is to use the current working directory. It is useful to choose "/" to avoid using mounted filesystems.

SwapDir: dir

Sets the swap directory where temporarily files are stored for the special case that the database has gone and alerts are still buffered.

Debug: area,level

Activate debug output for area (see README.debug) for informations up to level. A value of ALL activates all areas, level should be between 0 (disabled) and 9 (maximum output). This option can be used several times for different values.

TimeZone: value

Specify if we should log the time with the local timezone (value=0) or if we should use UTC.