Mudpit Project License Sourceforge


Command line parameters

-c <config file>  Specifies the name of the configuration file.
                  Default is /etc/
                  Only absolute filename is accepted here.
-v [-v [-v]]      Increases verbosity level.
-D|--daemon       Daemon mode.
-n|--nice level   Set priority level.
--once            Process each spool once, then exit.
-h|--help         Prints this help message.						

Configuration file format

# Global parameters:

global {
# Turn on daemon mode (same as -D )
# mudpit would not become a daemon if verbosity level > 0.
# Default - not a daemon.
# Conflicts with: verbose.

# Verbosity level (the same as the appropriate number of "-v" args)
# Default: 0
# Conflicts with: daemon
verbose = 4

# The following are text files that contain important
# event-related information. All of them come with Snort
# distribution; see for details.
# If not absolute, filenames are relative to the directory
# containing the main configuration file (see -c parameter).
# They are all assigned to their respective default values.
class_file = "classification.config"
sid_file = ""
gen_file = ""
ref_file = "reference.config"

# Pid file is used in daemon mode only.
# Default: "/var/run/"
pid_file = "/var/run/"

# nice: changes priority for each spool processor.
# see man renice(8) for more details.
# The main process is unaffected.
# Default is 0
nice = 5

# run_once: mudpit processes new data,
# then exits without waiting for incoming data.
# default: false

# Spool configurarion. One or more spools should be configured.
# Spool definition contains the absolute path to a spool directory
# (that is, the directory containing Snort's log/alert file pair)
# and parameters for the spool processor.
spool "/snort/spool" {

# the name of a lock resource for this spool. Spool processor will try
# to obtain exclusive lock on this resource each time before it attempts
# to send data to output plugins. Alphanumeric symbols and '_' are allowed
# in the resource's name.
# Default: none (no locking)
lock = "mysql"

# Spool processor will delete Snort output file each time the newer
# file becomes available
# Default: don't delete

# Copy Snort output file to the specified directory when it's processed.
# If 'delete_processed' was specified, processed file will be moved from
# the spool directory to the arch directory. Absolute path is required.
arch_dir= "/snort/arch"

# Set euid/uid and egid/gid of the current spool processor to those of
# the given user and his primary group. Works only if Mudpit is started
# as a root process.
# Default: euid/uid and egid/gid are not changed.
user = "snort"

# Specifies the name of the checkpoint file.
# Default: "checkpoint"
checkpoint = "checkpoint"

# The name of the output plugin. At least one plugin must be specified.
# The string after comma is a parameter sent to the plugin; its format
# depends on a plugin type (mp_out_init entry should understand it).
# Default: none.
output = "/snort/",
"server alisa, user snort, database snort, 
	hostname TEST, interface little_piggy, detail full"