The general configuration file of Orchids, orchids.conf, is a list of commands, one per line, of the following form.  Lines starting with # are comments.

  • MaxMemorySize n: declares the maximum amout of memory that Orchids is allowed to consume while running, as a number n of bytes.  See the low memory page to understand the purpose of that directive.
  • RainyDayFund n: declares the amount of memory that Orchids will preallocate as a rainy day fund.
  • ModuleDir dir: declares that dir is the directory where Orchids will find its modules.  Typical value is /usr/local/lib/orchids (@@LIBDIR@@/orchids if you look at orchids.conf.dist instead of orchids.conf).
  • LockFile file: sets file as Orchids lock file. Serves to ensure that at most one Orchids process is running on the system. Default file is @prefix@/var/run/orchids/orchids.lock, where @prefix@ is typically /usr/local.
  • RuntimeUser user: declares that Orchids should run as user user. Typical value is nobody (@@RUNUSER@@ if you look at orchids.conf.dist instead of orchids.conf).
  • Nice pri: sets the priority of the Orchids process to pri.
  • PollPeriod secs: instructs Orchids that it should poll files every secs seconds.  Orchids can read events from files or from sockets.  Only the first kind requires polling.  One can specify fractional values for seconds.  The IDMEF time format is recognized as well.
  • ResolveIP opt, where opt is yes, 1, on, true, enabled (all meaning true), or anything else (meaning false): if enabled, will tell Orchids to print IP addresses by adding the corresponding host name. Good for demos, slow in actual applications. Typical value is no.
  • Include file: include configuration file file. Used mainly to include the orchids-modules.conf, orchids-rules.conf, and orchids-inputs.conf files, as well as module-specific configuration files. Regexps are legal, e.g.:
    Include "@@ETCDIR@@/orchids/conf.d/*.conf"

Some other commands are in principle legitimate, too, such as INPUT or DISSECT, or AddModule for example. They are better used in specific included files, such as orchids-inputs.conf for the first two, or orchids-modules.conf for the last one. They are documented on the corresponding pages.

Obsolete commands include:

  • AddPreprocessorCmd suffix cmd: declares that those rule files whose name ends in suffix should first be processed by running cmd on it. Removed for security reasons.
  • SetPreprocessorCmd suffix cmd: declares that cmd should be the default preprocessor. Removed for security reasons.