Section: File Formats (5)
Updated: 1 April 2002
firestorm.conf - Firestorm NIDS sensor configuration file
firestorm.conf is the configuration file which governs how the
firestorm-nids(8) NIDS sensor will run. Any line whose first character is
The file contains entries of the form:
keyword <arg 1> <arg 2> ... <arg n>
Below follows a brief discussion of the usage of each keyword. Your firestorm
package should also include a sample configuration file which provides a good
Directory to chdir() to during operation. All other paths are relative to this
one. If ommitted it will default to "/".
This is a boolean value. If set to "yes" (without the quotes)
firestorm-nids(8) will chroot to the directory given to it by the
firestorm_root directive. Note that all files (excluding plugins) that
firestorm needs access to while running must be inside the chroot directory!
If this value is non-zero and firestorm-nids(8) is started as root,
firestorm-nids(8) will set its GID to this value. Firestorm will shed its
membership of any other groups. Firestorm will NOT look up a group name so you
must enter the numeric GID.
If this value is non-zero and firestorm-nids(8) is started as root;
firestorm-nids(8) will set its UID to this value. Firestorm will NOT look
up a user name so you must enter the numeric UID.
The load_plugins directive tells firestorm-nids(8) where it can find
its plugins. You must specify exactly one directory path as the argument.
Firestorm(8) will not recurse directories. You may specify multiple
directories by using multiple load_plugins directivesP.
The load_plugin directive is similar to the load_plugins directive
except for that it takes a path to a file rather than a directory. The file
should be a valid firestorm-nids(8) plugin. Firestorm will fail to start
if any of the files specified by this directive do not load successfully.
This directive is perhaps a little bit of a misnomer. It essentially tells
firestorm to daemonise and send all output to a logfile. The single argument is
the path to the logfile. You will nearly always want to set this directive. Note
that the logfile gets overwritten every time firestorm is run
- it is only intended to be a record of what happened last time firestorm was
run for diagnostic purposes. If you do not set this directive, firestorm will
not daemonize and will output log messages to stdout.
This directive specifies where firestorm-nids(8) should capture network
data from. The first argument specifies what type of device it is capturing
from and the second argument consists of plugin-specific options such as what
interface to listen on or what file to read from etc...
pcap - Most people will want to capture from the live network with
libpcap. This plugin has only one option 'if' which is used to specify which
interface to listen on. (eg: if='eth0' or if='any' to listen on all interfaces).
pcapfile - Firestorm(8) can also capture from libpcap files
captured, for example by tcpdump. This plugin also has only one argument 'file'
to specify the filename. (eg: file='./captures/mynetwork.cap').
linux - Firestorm(8) has the ability to support high-speed OS
specific capture plugins. Use this plugin if you run a recent Linux kernel with
mmap() packet socket support. This plugin takes two options 'if' and 'blocks'
where 'if' is an interface to listen on and blocks is a number specifying how
many blocks to use in the ringbuffer. Generally the higher this number the more
memory is used and the less packets will be dropped - you can look in the
firestorm log output to get an idea of how much memory (in KB) it translates to.
(eg: if='any' blocks=128).
tcpdump - This plugin is a hi-speed alternative to the pcapfile plugin and
doesn't depend on libpcap. This plugin is recommended over and above pcapfile.
It takes the same arguments (eg: file='./myfile.cap').
The preprocessor directive instructs firestorm-nids(8) to initialise
and use a preprocessor. No preprocessors are executed unless you specify them
here. The first argument to this directive is the name of the preprocessor and
the second (optional) parameter is to pass additional configuration to the
The output directive is used to configure the alert log directory and log
rotation parameters. It requires at least one argument, 'dir' to be set and has
optional parameters for fine tuning log rotation. If you specify more than one
output directive, alerts will be balanced between the two spools. The arguments
are documented below:
dir - Sets the location of the log spool directory.
size - Sets the upper bounds on the size of a log file before rotating. Set
to zero to disable filesize based log rotation.
minutes - Sets the maximum size that a logfile can grow to before being
rotated. Set to zero to disable time based log rotation.
stormwall - Must be one of 'none', 'wait' or 'fail'. Tells firestorm how
to notify stormwall of new logfiles becoming available. 'none' disables stormwall
notification, 'wait' tells firestorm to wait for stormwall to start before capturing
packages and 'fail' tells firestorm to immediately fail if stormwall isn't running.
buf - How large to set the output buffer, in bytes. Set to zero for
maximum reliability. The higher this value, the higher the performance but the
lower the reliability. The reliability hit can be ameliorated by log rotation
size or time limit. Rotated logfiles are *guaranteed* written to disk.
This directive is used to load attack signatures in to firestorm-nids(8).
It requres 2 parameters, the first specifies the type of signatures being loaded
(eg: snort) and the second specifies the path to the file. You can load as many
signature files as you need.
Original version by Gianni Tedesco.
Man page by Gianni Tedesco <gianni at scaramanga dot co dot uk>
Copyright (C) 2002 by Gianni Tedesco <gianni at scaramanga dot co dot uk>
- SEE ALSO