# $Id: HONEYNET.config,v 1.5 2004/05/17 14:02:00 bmc Exp $ # # This is an example configuration for snortconfig that could be useful # in a honeynet deployment for snort-inline. # # !!! WARNING!!! # honeypots are designed to be attacked. while this tool may *HELP* reduce # risk of running such a system, this is not a perfect solution. PLEASE # check out http://www.honeynet.org for more information on the risks on # running honeynets. # [files] replace_or_drop: shellcode.rules, exploit.rules, rpc.rules drop: attack-responses.rules alert: tftp.rules [classifications] replace_or_drop: attempted-admin,bad-unknown, attempted-dos, successful-dos, attempted-user, attempted-admin, successful-user, rpc-portmap-decode, shellcode-detect, denial-of-service, misc-attack drop: suspicious-login, suspicious-filename-detect, web-application-attack, default-login-attempt # turn this back on if it happened to get turned off by something else alert: trojan-activity # this happens to block tftp downloads, which is bad... drop: successful-admin # turn these back on [sids] alert: 1289, 1441, 1442, 1443, 519, 520, 518, 1444