SAM Configuration
Configuration is broken into 2 parts:

SAM Global Configuration    (conf/sam.properties)
This configuration file is responsible for the global settings within SAM. It contains various information regarding system-wide settings. These values do not have to be wrapped in quotes. The format of the settings file is quite simple; it uses "key=value" pairs.
Below is a table of fields and explanations for each field of the file. Though you can edit the file manually; it is not recommended.

Field

Definition/Explanation
email.from The email address that the alert email will appear to come from.
LogFileLogger.LogFile The path (can be absolute or relative to the sam directory) where the log file resides.
email.host The outgoing SMTP server to be used to transport the email alert.
email.to The email address of the user that the alert email is destined for.
AttackColumns A comma separated list of visible columns (this list is an enumeration of fields, rather than the field names). It is not recommended that you alter this manually as you might cause undesirable behavior from the application. There is a GUI interface inside of the application to configure this for you; using column names rather than the enumeration values.
alertlevel.medium This is a numerical field that represents the threshhold for the medium alert level (yellow traffic light status). The idea is that when the number of alerts (in the past five minutes) is equal to or above this value (but less than the alertlevel.high threshhold), the alert level is then set to medium, and the traffic light will flash yellow.
DatabaseUID This setting has little impact on the application, it is merely used to keep track of the last used configuration (so it is selected when you open SAM).
Lookup-Threshhold This is a (decimal value between 0.0 and 1.0) rate that determines when the lookup will stop looking up host names. This is to keep the interface from locking up due to network based errors. The reason for this is that Windows based networking is vastly slower at looking up hosts, and timing out during a lookup. The application now keeps track of the number of successful host lookups, and unsuccessful host lookups and uses this information to calculate the "success rate". If the success rate drops below the user defined threshhold, then lookups will stop happening altogether.
DisableLookup This feature was also inspired by Windows based networking. Due to the length of time that windows applications take to lookup hosts, I added this feature. If it is set to false, then the application will attempt to lookup all hostnames (from IP addresses) when the application begins; for each attack in the last hour; though it does now keep a cache of lookups. If the host is not in the cache and DisableLookup is set to false, then a lookup is performed. If the host is not in the cache and DisableLookup is set to true, then no lookup is performed (unless a lookup is forced, there are features within SAM that allow you to bypass the "DisableLookup" system setting).
alertlevel.high This is a numerical field that represents the threshhold for the medium alert level (red traffic light status). The idea is that when the number of alerts (in the past five minutes) is equal to or above this value, the alert level is then set to high, and the traffic light will flash red.
mainpanel.refresh This is the amount of time (in minutes) between a refresh of data. Data included here is the number of attacks in the last 5, 15, 30, 45, and 60 minutes; Top Attack Types in the last 24 hours, Top Attackers in the past 24 hours, and the last 60 minutes of attacks (various information about these attacks; for instance: sensor interface, source ip, destination ip, timestamp on the attack, attack type, etc).
DatabaseType Currently this is either "PostgreSQL" or "MySQL". This is more important during runtime than anything else; it is actually to keep track of the current database connection type.
email.active This is either "true" or "false". If it is true, then whenever the alert level jumps up to high, an email is sent to the address specified by "email.to" using the server "email.host" appearing to be from "email.from" (unless an exception occurs).


SAM Database Configurations    (conf/db/*)
Any file that is within the database configuration (conf/db) folder is considered to be a "Database Configuration File". Don't go storing just any files in there (they will be overwritten occasionally).
Sample Configuration File 
#############################################
#     Sample Configuraton File
#############################################
database.uid=Snort IDS Sensor 1
database.type=PostgreSQL
driver.classname=org.postgresql.Driver
database.url=jdbc:postgresql://snort-ids01:5432/snort
database.username=snortuser
database.password=

Field

Definition/Explanation
database.uid This is a unique Identifier that is used merely to depict the database connection. It is the name that is displayed in the database select box in the database login window.
database.type This field depicts the type of database connection that the configuration is for; currently the only supported database types are: "MySQL" and "PostgreSQL".
driver.classname This is the driver type that accompanies the database.type field. If your database is a MySQL database, then this value should be "org.gjt.mm.mysql.Driver", if it is a PostgreSQL database then this value should be "org.postgresql.Driver".
database.url This is a url that tells how to connect to your snort database. It will be of the form
jdbc:[database_type]://[database_server]:[database_port]/[database_name]
JDBC URL Parameters:
  • [database_type] will be either "postgresql" or "mysql" (depending on what type of database you are using). The parameter [database_server] can be either a friendly name, or the actual IP address of the database server running snort that you are trying to connect to.
  • [database_port] is the port that the database server is running it's database on (typically this is 5432 for postgresql and 3306 for mysql).
  • [database_name]This is the name of the snort database (typically it is just "snort").
database.username The username that you will be using to connect to the snort database.
database.password The password for the username that you will be using to connect to the snort database.