FLoP - 1.6.0: Fast Logging Project for Snort
PrevChapter 6. The programs alert and dropNext

6.4. The configuration file for alert and drop

The format of the configuration file is the same as for servsock and sockserv.

The parameters of the configuration file for alert and drop in detail

AlarmDelay: time

The program will check every time seconds for the presence of received alerts. If there are any an email is send. The default is 5 minutes (300 seconds). The equivalent command line option is -A.

AlarmLevel: level

If the number of received alerts reaches level than an email is sent regardless of the status of AlarmDelay. The default is 0 which disables this feature. But it is recommed to use this feature since it limits the number of alerts which are buffered in memory. The command line option is -L.

DaemonMode: value

A non-zero value enables the daemon mode. The program forks off in the background and detaches from the terminal. See also option DaemonDir and Umask. This automatically enables also the option Syslog. The command line option -b.

FQNNames: value

A non-zero value enables resolving of full qualified names of the reporting sensor. To reduce CPU usage this values are cached in an internal list[1]. See also option -F.

MailServer: name

Specifies the server which should be used for relaying of the emails. This server should allow relaying for the different hosts running sockserv and servsock. The default server is localhost. The command line option is -S.

MailPort: number

Specifies that the mail server is reached via port number. The default is port 25. The command line option is -p.

MailRecipient: address

Sets the address of one recipient of the emails. This option can be used several times to build a list of recipients. This is equal to the command line option -r.

MailSender: address

Sets the address of the sender of the emails. The command line option is -f.

MailDomain: domainname

Specifies the domain name which should be used in a mail session on startup (HELO string), see option -d.

MaxCount: count

Specifies the maximum number of tries to connect to the mailserver and deliver mails. After count tries the program alert terminates! The program drop simply writes all alerts to syslog or stdout and continues to work. See option -M.

PIDFile: filename

Specifies which file should be used to store the PID. This file must be writeable by the user running servsock! This correspond to option -P.

SocketName: socket

This specifies which unix domain socket should be opened for sockserv and servsock. This is equal to the -s.

Syslog: value

If the value is non-zero then all output is written to syslog and not printed to stdout. The facility is LOCAL0 and the level is INFO. Compare to option -l

Umask: mode

Sets the umask to mode for the DaemonMode. This affects the mode for the created PIDFile and unix domain socket (see SocketName). The mode can be either given in ascii, octal (with leading 0) or hex (with leading 0x). This is equal to the option -m.

DaemonDir: directory

Sets the working directory in daemon mode to daemondir. The default is to use the current working directory. It is useful to choose / to avoid blocking of mounted filesystems. See option -w.

Notes

[1]

If the DNS name changes while the program runs, the old names are still used. This is unlikely but the program may run for a long time.

PrevHomeNext
The command line options of alert and dropUpSignalhandling