Configuration - Attack Surface Management Solutions

Most Sn1per Pro behavior is controlled by two files:

/usr/share/sniper/sniper.conf — scan engine defaults (threads, DNS, AI, RAG, Burp, notifications, etc.)
/usr/share/sniper/pro/settings.php — Pro web UI tunables (license key, install dir, workspace limits, Burp host)

Change either file and restart Apache (sudo systemctl reload apache2) to pick up PHP-side changes. Scan engine changes take effect on the next sniper invocation.

sniper.conf — scan engine

sniper.conf contains ~260 settings. The most commonly tuned are below. Per-scan overrides can be supplied with sniper -c /path/to/override.conf, or by selecting a different template from the Config Editor in the web UI (templates live under /usr/share/sniper/conf/).

Core

Setting	Default	Description
`INSTALL_DIR`	`/usr/share/sniper`	Root install path (do not change without reinstalling)
`THREADS`	`30`	Concurrent scan threads
`DNS_RESOLVER`	`8.8.8.8`	DNS resolver for recon
`USER_AGENT`	`Googlebot`	Default HTTP User-Agent
`BROWSER`	`firefox`	Screenshot browser
`VERBOSE`	`0`	Verbose logging (`0`/`1`)
`DEBUG`	`0`	Debug logging (`0`/`1`)

Scope

Setting	Default	Description
`SCOPE`	`""`	In-scope hosts/patterns
`OUT_OF_SCOPE`	Sn1per domains	Bash array of domains to skip
`REMOVE_RESUME_FILES`	`0`	Delete resume state after scan

Scan gates

Setting	Default	Description
`AUTO_BRUTE`	`0`	Run bruteforce mode automatically
`OSINT`	`0`	Run OSINT collection
`RECON`	`0`	Run recon modules
`VULNSCAN`	`0`	Run vulnerability scans

AI integration

Sn1per Pro ships with AI-assisted analysis (default: Ollama with deepseek-v3.2:cloud). To use a commercial provider, set AI_PROVIDER and supply the relevant API key via environment variable or provider-specific config.

Setting	Default	Description
`AI_ENABLED`	`1`	Master AI switch
`AI_PROVIDER`	`ollama`	One of `ollama`, `openai`, `claude`, `claude-code`, `gemini`
`AI_MODEL`	`deepseek-v3.2:cloud`	Model identifier for the chosen provider
`AI_FALLBACK_PROVIDER` / `AI_FALLBACK_MODEL`	`""`	Optional fallback on primary failure
`AI_SCAN_ANALYSIS`	`0`	AI summarizes scan output
`AI_SCAN_DECISIONING`	`0`	AI decides next scan steps
`AI_VULNERABILITY_ANALYSIS`	`0`	AI triages findings
`AI_REPORT_ENHANCEMENT`	`1`	AI-augmented scan reports
`AI_BRUTEFORCE`	`1`	AI-generated wordlists for bruteforce
`AI_AGENT_MODE`	`0`	Enable autonomous agent mode
`AI_TEMPERATURE`	`0.1`	Sampling temperature
`AI_MAX_TOKENS`	`4096`	Max output tokens per query
`AI_TIMEOUT`	`120`	Per-request timeout in seconds
`AI_MAX_QUERIES_PER_SCAN`	`50`	Hard ceiling per scan
`AI_MAX_INPUT_TOKENS_PER_QUERY`	`50000`	Input size ceiling per query
`AI_SANITIZE_ENABLED`	`1`	Scrub sensitive strings before sending to the LLM
`MAX_PARALLEL_AGENTS`	`3`	Concurrent agent workers

Phase 2 (active verification) model routing

Sn1per Pro can use a different AI model for Phase 2 active verification (exploit payload generation, WAF bypass, etc.) than for general scan analysis. Leave blank to use the primary AI_PROVIDER / AI_MODEL.

Setting	Default	Description
`AI_PHASE2_PROVIDER`	`""`	Override provider for Phase 2
`AI_PHASE2_MODEL`	`""`	Override model for Phase 2
`AI_PHASE2_URL`	`""`	Override API base URL for Phase 2

RAG Security Knowledge Engine

Sn1per Pro can enrich scans with the Sn1per RAG engine (OWASP Top 10, CWE Top 25, Exploit-DB, SecLists, CVE data, 80K+ documents). See the RAG engine docs for setup.

Setting	Default	Description
`RAG_INGEST_ENABLED`	`0`	Feed scan findings back into the RAG KB
`RAG_API_URL`	`http://localhost:8000`	RAG Engine endpoint

Burp Suite integration

Setting	Default	Description
`BURP_SCAN`	`0`	Route traffic through Burp proxy during scans
`BURP_HOST`	`127.0.0.1`	Burp proxy host
`BURP_PORT`	`1338`	Burp proxy port
`BURP_MCP`	`0`	Enable the Burp MCP integration
`BURP_MCP_PORT`	`9876`	Burp MCP endpoint port

Notifications

Sn1per supports Slack and SMTP notifications for recon deltas and vulnerabilities.

Setting	Default	Description
`SLACK_NOTIFICATIONS`	`0`	Master Slack switch
`SLACK_SCREENSHOTS`	`0`	Attach screenshots
`SLACK_NOTIFICATIONS_*`	`0`	Per-event switches (domains, takeovers, subnets, nmap diff, vulns, …)
`SMTP_ALERTS_EMAIL_FROM` / `SMTP_ALERTS_EMAIL_TO`	placeholders	SMTP from/to addresses
`SMTP_ALERTS_NEW_DOMAINS` / `SMTP_ALERTS_TAKEOVERS` / `SMTP_ALERTS_VULNERABILITIES`	`0`	Per-event switches
`EMAILFORMAT`	`1`	`0` = plain text, `1` = HTML

Bruteforce wordlists

Setting	Default
`USER_FILE`	`/usr/share/brutex/wordlists/simple-users.txt`
`PASS_FILE`	`/usr/share/brutex/wordlists/password.lst`

OpenVAS integration

Setting	Default	Description
`OPENVAS_HOST`	`127.0.0.1`	OpenVAS GMP host
`OPENVAS_PORT`	`9390`	OpenVAS GMP port
`OPENVAS_USERNAME`	`admin`	GMP user
`OPENVAS_PASSWORD`	`""`	GMP password
`OPENVAS_PORT_LIST`	`1-65535`	Port list name

settings.php — Pro web UI

/usr/share/sniper/pro/settings.php contains PHP-visible tunables. The license key and customer email are set at install time; do not edit them manually.

Setting	Default	Description
`$LICENSE_KEY`	(per-customer)	Activated license hash. Do not edit
`$EMAIL`	(per-customer)	Customer email. Do not edit
`$INSTALL_DIR`	`/usr/share/sniper`	Match `sniper.conf` `INSTALL_DIR`
`$MAX_LINES`	`500`	Max lines to render in full output panes
`$MAX_STATIC_LINES`	`50`	Max lines for inline previews
`$MAX_REPORTS`	`30`	Max recent reports in sidebar
`$MAX_WORKSPACES`	`6`	Max workspaces on navigator dashboard
`$MAX_HOSTS`	`30`	Max hosts per workspace overview
`$MAX_SCAN_TASKS`	`20`	Max entries in the Scan Tasks drawer
`$MAX_NOTIFICATIONS`	`1000`	Ring buffer for change notifications
`$WORKSPACE_CRITICAL_THRESHOLD`	`1000`	Severity-score cutoff for “Critical” badge
`$WORKSPACE_HIGH_THRESHOLD`	`250`	“High” badge cutoff
`$WORKSPACE_MEDIUM_THRESHOLD`	`25`	“Medium” badge cutoff
`$WORKSPACE_LOW_THRESHOLD`	`1`	“Low” badge cutoff
`$BURP_HOST`	`http://127.0.0.1:8080`	Web UI’s Burp proxy (for the “Send to Burp” action)

Apache

The installer configures /etc/apache2/sites-enabled/apache_remote_ssl_digest_auth_port_1337.conf with:

Port 1337 (HTTPS only)
Self-signed certificate at /etc/apache2/ssl/server.crt / server.key
HTTP Digest authentication, realm restricted, user database at /etc/htdigest/.htdigest
A systemd drop-in at /etc/systemd/system/apache2.service.d/sniper-override.conf that disables Apache’s default Kali hardening (ProtectSystem, RestrictNamespaces, MemoryDenyWriteExecute, etc.) — required so that www-data-forked scan tools have the capabilities they need

To change the port, edit both apache_remote_ssl_digest_auth_port_1337.conf and /etc/apache2/ports.conf, then sudo systemctl reload apache2.

Admin password

At install, a random 16-char password is generated and stored at:

/usr/share/sniper/pro/data/.admin-password    (root:root 0600)

The corresponding Apache Digest HA1 (MD5(admin:restricted:password)) is written to:

/etc/htdigest/.htdigest                        (root:www-data 0640)

To change the password, regenerate both files. The canonical method (matching the installer’s) writes the HA1 directly rather than using htdigest(1), which on Debian/Kali opens /dev/tty and breaks scripted updates:

NEW_PASS='your-new-password'
HA1=$(printf '%s' "admin:restricted:$NEW_PASS" | md5sum | awk '{print $1}')
sudo bash -c "echo "admin:restricted:$HA1" > /etc/htdigest/.htdigest"
sudo chmod 640 /etc/htdigest/.htdigest
sudo chown root:www-data /etc/htdigest/.htdigest
echo "$NEW_PASS" | sudo tee /usr/share/sniper/pro/data/.admin-password > /dev/null
sudo chmod 600 /usr/share/sniper/pro/data/.admin-password
sudo systemctl reload apache2

PostgreSQL

PostgreSQL is provisioned for the Metasploit Framework during install. Connection is local-socket by default and is configured by msfdb init. There is no standalone “sniper” database — scan metadata lives on disk under /usr/share/sniper/loot/workspace/<target>/.

Docker-specific configuration

See Docker for:

Port mapping (host ↔ container)
Volume mounts for persisting scan loot and configuration
--privileged vs. capability-based runs
docker compose service definition and healthcheck