snort 的配置文件共有六个步骤 基本按照包处理的顺序一步一步进行配置
Step #1: Set the network variables:配置环境变量
类似于变量的设置
本地网络：
var HOME_NET 10.1.1.0/24
var HOME_NET [10.1.1.0/24,192.168.1.0/24]
var HOME_NET any
也可以使用
var HOST_NET 192.168.1.1/24
var HOME_NET $HOST_NET
外部网络：通常设置为
var EXTERNAL_NET any
针对具体网络的服务器的设置，没有相应服务的可以注释掉：
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
一个关于aim的实际环境设置：
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
具体服务的端口设置
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
规则库的路径：
var RULE_PATH ../rules
var PREPROC_RULE_PATH ../preproc_rules
配置解码器：
# Stop generic decode events:停止类解码？
config disable_decode_alerts
# Stop Alerts on experimental TCP options停止对tcp实现性选项的数据报警
config disable_tcpopt_experimental_alerts
# Stop Alerts on obsolete TCP options停止对tcp废弃性选项的数据报警
config disable_tcpopt_obsolete_alerts
Stop Alerts on T/TCP alerts停止对T/TCP的报警
# config disable_tcpopt_ttcp_alerts
Stop Alerts on all other TCPOption type events:其他选项
# config disable_tcpopt_alerts
Stop Alerts on invalid ip options非法的IP选项
# config disable_ipopt_alerts
Alert if value in length field (IP, TCP, UDP) is greater than the
actual length of the captured portion of the packet that the length
is supposed to represent:对超长数据包进行重解码
# config enable_decode_oversized_alerts
Same as above, but drop packet if in Inline mode -同上 但工作在inline模式
# enable_decode_oversized_alerts
must be enabled for this to work:丢包
# config enable_decode_oversized_drops
低配置模式
# config detection: search-method lowmem

Step #2: Configure dynamic loaded libraries配置动态加载库
从安装路径加载所有动态预处理库
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
从安装路径加载指定动态预处理库
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
从安装路径加载动态引擎
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
从安装路径加载所有动态规则库
dynamicdetection directory /usr/local/lib/snort_dynamicrule/
从安装路径加载指定动态规则库
dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so

Step #3: Configure preprocessors配置预处理器
frag3: Target-based IP defragmentation基于目标IP的分片重组预处理器
示例配置和典型配置：
#preprocessor frag3_global: max_frags 65536, prealloc_frags 262144
#preprocessor frag3_engine: policy linux \
#                           bind_to [10.1.1.12/32,10.1.1.13/32] \    绑定IP/网络号
#                           detect_anomalies
#preprocessor frag3_engine: policy first \
#                           bind_to 10.2.1.0/24 \
#                           detect_anomalies
#preprocessor frag3_engine: policy last \
#                           bind_to 10.3.1.0/24
#preprocessor frag3_engine: policy bsd

preprocessor frag3_global: max_frags 65536                    最大分片处理数
preprocessor frag3_engine: policy first detect_anomalies 默认为BSD

stream4: stateful inspection/stream reassembly for Snort状态化预处理器
preprocessor stream4: detect_state_problems 检测所有TCP包的状态问题 will be very noise

stream5: Target Based stateful inspection/stream reassembly for Snort基于目标的状态化预处理器
不能与stream4同时使用
#preprocessor stream5_global: max_tcp 8192, track_tcp yes/track_udp no
#preprocessor stream5_tcp: policy first, use_static_footprint_sizes
#preprocessor stream5_udp: ignore_any_rules

# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 状态统计预处理器
# preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 异常HTTP数据检测预处理器
# preprocessor rpc_decode: 111 32771             rpc预处理器
# preprocessor bo: noalert { general server } drop { snort_attack }        针对bo的预处理器

# preprocessor telnet_decode
# preprocessor ftp_telnet
# preprocessor sfportscan            端口扫描检测预处理器
# preprocessor smtp
# preprocessor arpspoof                arp欺骗
# preprocessor dcerpc
# preprocessor dns

Step #4: Configure output plugins输出插件
output :

alert_syslog: log alerts to syslog 系统日志
output alert_syslog: LOG_AUTH LOG_ALERT

log_tcpdump: log packets in binary tcpdump format二进制tcpdump格式
output log_tcpdump: tcpdump.log

database: log to a variety of databases指定类型的数据库
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test

unified: Snort unified binary format alerting and logging 以SNORT统一的二进制格式进行报警和记录
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
limit：maximum size of spool file in MB (default: 128)

Step #5: Configure snort with config statements通过配置声明对snort进行配置

配置全局的忽视条件
# config ignore_ports:
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53

Step #6: Customize your rule set定制规则

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/spyware-put.rules
# include $RULE_PATH/specific-threats.rules
include $RULE_PATH/experimental.rules

# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules