# $Id: HONEYNET.config,v 1.5 2004/05/17 14:02:00 bmc Exp $
# 
# This is an example configuration for snortconfig that could be useful
# in a honeynet deployment for snort-inline.
#
# !!! WARNING!!!
# honeypots are designed to be attacked.  while this tool may *HELP* reduce
# risk of running such a system, this is not a perfect solution.  PLEASE 
# check out http://www.honeynet.org for more information on the risks on
# running honeynets.
# 

[files]
replace_or_drop: shellcode.rules, exploit.rules, rpc.rules
drop: attack-responses.rules
alert: tftp.rules

[classifications]
replace_or_drop: attempted-admin,bad-unknown, attempted-dos, successful-dos, attempted-user, attempted-admin, successful-user, rpc-portmap-decode, shellcode-detect, denial-of-service, misc-attack
drop: suspicious-login, suspicious-filename-detect, web-application-attack, default-login-attempt

# turn this back on if it happened to get turned off by something else
alert: trojan-activity

# this happens to block tftp downloads, which is bad...
drop: successful-admin

# turn these back on
[sids]
alert: 1289, 1441, 1442, 1443, 519, 520, 518, 1444