# Honeynet snort_inline configuration file
# Version 0.5
# Last modified 01 January, 2004
#
# Standard Snort configuration file modified for inline
# use.  Most preprocessors currently do not work in inline
# mode, as such they are not included.
#

### Network variables
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any

# Ports you run web servers on
#
# Please note:  [80,8080] does not work.
# If you wish to define multiple HTTP ports,
# 
## var HTTP_PORTS 80 
## include somefile.rules 
## var HTTP_PORTS 8080
## include somefile.rules 
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

### As of snort_inline 2.2.0 we drop 
### packets with bad checksums. We can 
config checksum_mode: all 

# Path to your rules files (this can be a relative path)
var RULE_PATH /usr/src/snort_inline-2.3.0-RC1/rules

# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop generic decode drops:
#
# config disable_decode_drops
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop drops on experimental TCP options
#
# config disable_tcpopt_experimental_drops
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop drops on obsolete TCP options
#
# config disable_tcpopt_obsolete_drops
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network.  If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop drops on T/TCP alerts
#
# config disable_ttcp_drops
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop drops on all other TCPOption type events:
#
# config disable_tcpopt_drops
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
#
# Stop drops on invalid ip options
#
# config disable_ipopt_drops

# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
# config detection: search-method lowmem

# Configure Inline Resets
# ========================
# 
# If running an iptables firewall with snort_inline we can now perform resets
# via a physical device we grab the indev from iptables and use this for the  
# interface on which to send resets. This config option takes an argument for
# the src mac address you want to use in the reset packet. This way the bridge 
# can remain stealthy. If the src mac option is not set we use the mac address  
# of the indev device. If we don't set this option we will default to sending 
# resets via raw socket, which needs an ipaddress to be assigned to the int.
#
# config layer2resets: 00:06:76:DD:5F:E3
 
### Preprocessors
# usage guidelines:  if the plugin normalizes the packet so that the
# detection engine can better interpret the data, the plugin can be
# used with the snort_inline safely.  If the plugin itself makes
# the alert decisions, then we have to modify it to drop packets.

# sticky-drop: drop all packets from the source of an attack for x number of seconds
# ----------------------------------------------------------------------------------
# For use in rule language and by the portscan2, clamav, and the sfportscan preprocessor to drop
# packets from attackers for x number of seconds because we don't like them messing with 
# our stuff. Right now we only drop from source so if using the sticky-drop keyword make sure 
# that the source of the attack is something you actually want to block. 
#
# In the example below the first line tells stickydrop a max amount of entries for memory allocation
# In addition the first line tells stickydrop to log droped packets to the snort log dir stickyd.log
#
# The second line specifies timeouts for the two currently supported portscan preprocs and clamav
#
# The third line tells which sources to never drop, it is very, very important to add your home net 
# and you dns servers to this list. 
#
#example:
#preprocessor stickydrop: max_entries 3000,log
#preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000
#preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12 192.168.1.13 
 
# Done by IPTables.  Iptables assembles fragments when we use connection
#                    tracking; therefore, we don't have to use frag2
# preprocessor frag2

# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term,  many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#

preprocessor flow: stats_interval 5 hash 2
preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000