Section: File Formats (5)
Updated: 1 April 2002


firestorm.conf - Firestorm NIDS sensor configuration file



firestorm.conf is the configuration file which governs how the firestorm-nids(8) NIDS sensor will run. Any line whose first character is

The file contains entries of the form:

keyword <arg 1> <arg 2> ... <arg n>

Below follows a brief discussion of the usage of each keyword. Your firestorm package should also include a sample configuration file which provides a good commentary.

Directory to chdir() to during operation. All other paths are relative to this one. If ommitted it will default to "/".

This is a boolean value. If set to "yes" (without the quotes) firestorm-nids(8) will chroot to the directory given to it by the firestorm_root directive. Note that all files (excluding plugins) that firestorm needs access to while running must be inside the chroot directory!

If this value is non-zero and firestorm-nids(8) is started as root, firestorm-nids(8) will set its GID to this value. Firestorm will shed its membership of any other groups. Firestorm will NOT look up a group name so you must enter the numeric GID.

If this value is non-zero and firestorm-nids(8) is started as root; firestorm-nids(8) will set its UID to this value. Firestorm will NOT look up a user name so you must enter the numeric UID.

The load_plugins directive tells firestorm-nids(8) where it can find its plugins. You must specify exactly one directory path as the argument. Firestorm(8) will not recurse directories. You may specify multiple directories by using multiple load_plugins directivesP.

The load_plugin directive is similar to the load_plugins directive except for that it takes a path to a file rather than a directory. The file should be a valid firestorm-nids(8) plugin. Firestorm will fail to start if any of the files specified by this directive do not load successfully.

This directive is perhaps a little bit of a misnomer. It essentially tells firestorm to daemonise and send all output to a logfile. The single argument is the path to the logfile. You will nearly always want to set this directive. Note that the logfile gets overwritten every time firestorm is run - it is only intended to be a record of what happened last time firestorm was run for diagnostic purposes. If you do not set this directive, firestorm will not daemonize and will output log messages to stdout.

This directive specifies where firestorm-nids(8) should capture network data from. The first argument specifies what type of device it is capturing from and the second argument consists of plugin-specific options such as what interface to listen on or what file to read from etc...

pcap - Most people will want to capture from the live network with libpcap. This plugin has only one option 'if' which is used to specify which interface to listen on. (eg: if='eth0' or if='any' to listen on all interfaces).

pcapfile - Firestorm(8) can also capture from libpcap files captured, for example by tcpdump. This plugin also has only one argument 'file' to specify the filename. (eg: file='./captures/mynetwork.cap').

linux - Firestorm(8) has the ability to support high-speed OS specific capture plugins. Use this plugin if you run a recent Linux kernel with mmap() packet socket support. This plugin takes two options 'if' and 'blocks' where 'if' is an interface to listen on and blocks is a number specifying how many blocks to use in the ringbuffer. Generally the higher this number the more memory is used and the less packets will be dropped - you can look in the firestorm log output to get an idea of how much memory (in KB) it translates to. (eg: if='any' blocks=128).

tcpdump - This plugin is a hi-speed alternative to the pcapfile plugin and doesn't depend on libpcap. This plugin is recommended over and above pcapfile. It takes the same arguments (eg: file='./myfile.cap').

The preprocessor directive instructs firestorm-nids(8) to initialise and use a preprocessor. No preprocessors are executed unless you specify them here. The first argument to this directive is the name of the preprocessor and the second (optional) parameter is to pass additional configuration to the preprocessor itself.

The output directive is used to configure the alert log directory and log rotation parameters. It requires at least one argument, 'dir' to be set and has optional parameters for fine tuning log rotation. If you specify more than one output directive, alerts will be balanced between the two spools. The arguments are documented below:

dir - Sets the location of the log spool directory.

size - Sets the upper bounds on the size of a log file before rotating. Set to zero to disable filesize based log rotation.

minutes - Sets the maximum size that a logfile can grow to before being rotated. Set to zero to disable time based log rotation.

stormwall - Must be one of 'none', 'wait' or 'fail'. Tells firestorm how to notify stormwall of new logfiles becoming available. 'none' disables stormwall notification, 'wait' tells firestorm to wait for stormwall to start before capturing packages and 'fail' tells firestorm to immediately fail if stormwall isn't running.

buf - How large to set the output buffer, in bytes. Set to zero for maximum reliability. The higher this value, the higher the performance but the lower the reliability. The reliability hit can be ameliorated by log rotation size or time limit. Rotated logfiles are *guaranteed* written to disk.

This directive is used to load attack signatures in to firestorm-nids(8). It requres 2 parameters, the first specifies the type of signatures being loaded (eg: snort) and the second specifies the path to the file. You can load as many signature files as you need.






Original version by Gianni Tedesco.

Man page by Gianni Tedesco <gianni at scaramanga dot co dot uk>

Copyright (C) 2002 by Gianni Tedesco <gianni at scaramanga dot co dot uk>