[Honeywall] Snort_inline log problem

Phan Thanh Liêm liempt at hedspi.hut.edu.vn
Wed Jun 27 23:23:59 EDT 2007


Rob McMillen wrote:
> That is right.  In order to get the packet from the firewall and
> decide the packet's destiny, you must do it as root.
>
> As far as the inline logging, I would have to look into it as well.
> What version honeywall are you using?
>
> Rob
>
> On 6/27/07, Patrick McCarty <patrick at setsuid.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On Wed, Jun 27, 2007 at 03:44:24PM -0400, Earl wrote:
>> > I don't believe it can drop privs becaus eit needs to be able to
>> > drop packets and to restes and other rootly stuff.  Rob/Patrick?
>>
>> IIRC, it needs root privs because of the interface to the userspace 
>> libipq.
>>
>> Otherwise, any non-priv process could accept, modify, or reject any 
>> packet that was sent to userspace from the iptables -j QUEUE target.
>>
>> There may be other reasons as well, its been a bit since I've looked 
>> at that particular piece.
>>
>> - -- patrick
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.6 (GNU/Linux)
>>
>> iD8DBQFGgs3opPYocrgNjZgRAlazAJ4rUjODRmxd3jaKdIPyo2SKsa77WQCdHd+F
>> E5QAW41ANhjc0fUBdy10qSQ=
>> =B2l3
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Honeywall mailing list
>> Honeywall at public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/honeywall
>>
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
>
Dear all,

Initially, I installed Honeywall 1.1 and i encountered the same problem 
with snort_inline log.
I can  not view it.
After that I changed to Honeywall 1.2 and I still can not see anything 
in snort_inline log.

I'm sure that snort_inline is firing and not outbound rate limiting.

My snort run normally, so I compare the user priv between snort and 
snort_inline
[root at roo ~]# ps -ef | grep snort
snort    28305     1  0 00:04 ?        00:00:07 snort-plain -D -c 
/etc/snort/snort.conf -i eth1 -l /var/log/snort/20070628 -u snort -t 
/var/log/snort -N
root     30948     1 85 09:52 ?        00:00:05 snort-inline -D -c 
/etc/snort_inline/snort_inline.conf -Q -l /var/log/snort_inline/20070628 
-u snort -t /var/log/snort_inline
Snort_inline runs with "root" priv only, doesn't it?

Then I decided to change the mod of /var/log/snort_inline to 777
and the owner of  /var/log/snort_inline to snort.
But it didn't solve anything.

I'll attach my "honeywall.conf", "snort_inline.conf"

-------------- next part --------------
# Honeynet snort_inline configuration file
# Version 0.6
# Last modified 22 September, 2005
#
# Standard Snort configuration file modified for inline
# use.  Most preprocessors currently do not work in inline
# mode, as such they are not included.
#

### Network variables
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var DNS_SERVERS any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any

# Ports you run web servers on
#
# Please note:  [80,8080] does not work.
# If you wish to define multiple HTTP ports,
# 
## var HTTP_PORTS 80 
## include somefile.rules 
## var HTTP_PORTS 8080
## include somefile.rules 
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521


# AIM servers.  AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of servers.
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop generic decode drops:
#
#config disable_decode_drops
#
# Stop Alerts on experimental TCP options
#
#config disable_tcpopt_experimental_alerts
#
# Stop drops on experimental TCP options
#
#config disable_tcpopt_experimental_drops
#
# Stop Alerts on obsolete TCP options
#
#config disable_tcpopt_obsolete_alerts
#
# Stop drops on obsolete TCP options
#
#config disable_tcpopt_obsolete_drops
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network.  If this is normal
# behavior for your network, disable the next option.
#
#config disable_tcpopt_ttcp_alerts
#
# Stop drops on T/TCP alerts
#
#config disable_ttcp_drops
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop drops on all other TCPOption type events:
#
#config disable_tcpopt_drops
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
#
# Stop drops on invalid ip options
#
#config disable_ipopt_drops

# Configure Inline Resets
# ========================
# 
# If running an iptables firewall with snort_inline we can now perform resets
# via a physical device we grab the indev from iptables and use this for the  
# interface on which to send resets. This config option takes an argument for
# the src mac address you want to use in the reset packet. This way the bridge 
# can remain stealthy. If the src mac option is not set we use the mac address  
# of the indev device. If we don't set this option we will default to sending 
# resets via raw socket, which needs an ipaddress to be assigned to the int.
#
config layer2resets

### Let's make sure we don't let bad packets out simply cause
### they have bad checksums.  If this is not here, packets with
### bad checksums could get out.
config checksum_mode: none

# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort_inline/rules

### Preprocessors
# usage guidelines:  if the plugin normalizes the packet so that the
# detection engine can better interpret the data, the plugin can be
# used with the snort_inline safely.  If the plugin itself makes
# the alert decisions, then we have to modify it to drop packets.

# Done by IPTables.  Iptables assembles fragments when we use connection
#                    tracking; therefore, we don't have to use frag2
# preprocessor frag2

# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term,  many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 0 hash 2

# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat stick/snot
# against TCP rules.  Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc.  Can statefully detect various portscan
# types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
#   detect_scans - stream4 will detect stealth portscans and generate alerts
#                  when it sees them when this option is set
#   detect_state_problems - detect TCP state problems, this tends to be very
#                           noisy because there are a lot of crappy ip stack
#                           implementations out there
#
#   disable_evasion_alerts - turn off the possibly noisy mitigation of
#                            overlapping sequences.
#
#
#   min_ttl [number]       - set a minium ttl that snort will accept to
#                            stream reassembly
#
#   ttl_limit [number]     - differential of the initial ttl on a session versus
#                             the normal that someone may be playing games.
#                             Routing flap may cause lots of false positives.
# 
#   keepstats [machine|binary] - keep session statistics, add "machine" to 
#                         get them in a flat format for machine reading, add
#                         "binary" to get them in a unified binary output 
#                         format
#   noinspect - turn off stateful inspection only
#   timeout [number] - set the session timeout counter to [number] seconds,
#                      default is 30 seconds
#   memcap [number] - limit stream4 memory usage to [number] bytes
#   log_flushed_streams - if an event is detected on a stream this option will
#                         cause all packets that are stored in the stream4
#                         packet buffers to be flushed to disk.  This only 
#                         works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Stealth activity
#   2       Evasive RST packet
#   3       Evasive TCP packet retransmission
#   4       TCP Window violation
#   5       Data on SYN packet
#   6       Stealth scan: full XMAS
#   7       Stealth scan: SYN-ACK-PSH-URG
#   8       Stealth scan: FIN scan
#   9       Stealth scan: NULL scan
#   10      Stealth scan: NMAP XMAS scan
#   11      Stealth scan: Vecna scan
#   12      Stealth scan: NMAP fingerprint scan stateful detect
#   13      Stealth scan: SYN-FIN scan
#   14      TCP forward overlap

preprocessor stream4: disable_evasion_alerts

# tcp stream reassembly directive
# no arguments loads the default configuration 
#   Only reassemble the client,
#   Only reassemble the default list of ports (See below),  
#   Give alerts for "bad" streams
#
# Available options (comma delimited):
#   clientonly - reassemble traffic for the client side of a connection only
#   serveronly - reassemble traffic for the server side of a connection only
#   both - reassemble both sides of a session
#   noalerts - turn off alerts from the stream reassembly stage of stream4
#   ports [list] - use the space separated list of ports in [list], "all" 
#                  will turn on reassembly for all ports, "default" will turn
#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
#                  and 513

preprocessor stream4_reassemble: both

# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.

preprocessor http_inspect: global \
    iis_unicode_map /etc/snort/unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500 \
    no_alerts

# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
#                            sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
#                       exceeds the current packet size

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  Takes no arguments in 2.0.
# 
# The Back Orifice detector uses Generator ID 105 and uses the 
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
# traffic.  It works in much the same way as the http_decode preprocessor,
# searching for traffic that breaks up the normal data stream of a protocol and
# replacing it with a normalized representation of that traffic so that the
# "content" pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID currently.

preprocessor telnet_decode

# Flow-Portscan: detect a variety of portscans
# ---------------------------------------
# Note:  The Flow preprocessor (above) must first be enabled for Flow-Portscan to
# work.
#
# This module detects portscans based off of flow creation in the flow
# preprocessors.  The goal is to catch catch one->many hosts and one->many
# ports scans.
#
# Flow-Portscan has numerous options available, please read
# README.flow-portscan for help configuring this option. 

# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
#   2       flow-portscan: Sliding Scale Scanner Limit Exceeded 
#   3       flow-portscan: Fixed Scale Talker Limit Exceeded
#   4	    flow-portscan: Sliding Scale Talker Limit Exceeded

# preprocessor flow-portscan: \
#	talker-sliding-scale-factor 0.50 \
#	talker-fixed-threshold 30 \
#	talker-sliding-threshold 30 \
#	talker-sliding-window 20 \
#	talker-fixed-window 30 \
#	scoreboard-rows-talker 30000 \
#	server-watchnet [10.2.0.0/30] \
#	server-ignore-limit 200 \
#	server-rows 65535 \
#	server-learning-time 14400 \
#	server-scanner-limit 4 \
#	scanner-sliding-window 20 \
#	scanner-sliding-scale-factor 0.50 \
#	scanner-fixed-threshold 15 \
#	scanner-sliding-threshold 40 \
#	scanner-fixed-window 15 \
#	scoreboard-rows-scanner 30000 \
#	src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
#	dst-ignore-net [10.0.0.0/30] \
#	alert-mode once \
#	output-mode msg \
#	tcp-penalties on

### Logging alerts of outbound attacks                                          
output alert_syslog: log_auth log_alert
output alert_full: snort_inline-full                                            
output alert_fast: snort_inline-fast
output alert_unified: filename /var/log/snort_inline/snort_inline_unified, limit 128

### If you want to log the contents of the dropped packets, remove comment
output log_tcpdump: tcpdump.log

# Include classification & priority settings
include /etc/snort/classification.config
include /etc/snort/reference.config

# Rule sets are now managed through the Walleye UI, please use
# the interface for addition/removal/modifications of rules.  By
# default, the user interface maintains ALL the rules in a rules
# databases, then includes all the rules you enable in the rule
# files below.  If you are not using a specific rule file below,
# then that rules file will be empty.  Do NOT comment out unused
# rules files.
 
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/classification.config
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/info.rules
include $RULE_PATH/local.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/reference.config
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules
-------------- next part --------------
#####################################################################
#
# $Id: honeywall.conf 4552 2006-10-17 01:06:51Z esammons $
#
#############################################
#
# Copyright (C) <2005> <The Honeynet Project>
#
# This program is free software; you can redistribute it and/or modify 
# it under the terms of the GNU General Public License as published by 
# the Free Software Foundation; either version 2 of the License, or (at 
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but 
# WITHOUT ANY WARRANTY; without even the implied warranty of 
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License 
# along with this program; if not, write to the Free Software 
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 
# USA
#
#############################################

#
# This file is the Honeywall import file (aka "honeywall.conf").
# It is a list of VARIABLE=VALUE tuples (including comments as 
# necessary, # such as this) and whitespace lines.  
#
# note: DO NOT surround values in quotation marks
#
#####################################################################

############################
# Site variables that are  #
# global to all honeywalls #
# at a site.               #
############################

# Specify the IP address(es) and/or networks that are allowed to connect 
# to the management interface.  Specify any to allow unrestricted access.
# [Valid argument: IP address(es) | IP network(s) in CIDR notation | any]
HwMANAGER=any

# Specify the port on which SSHD will listen
# NOTE: Automatically aded to the list of TCP ports allowed in by IPTables
# [Valid argument: TCP (port 0 - 65535)]
HwSSHD_PORT=22

# Specify whether or not root can login remotely over SSH
# [Valid argument: yes | no]
HwSSHD_REMOTE_ROOT_LOGIN=yes

# NTP Time server(s)
# [Valid argument: IP address]
HwTIME_SVR=


############################
# Local variables that are #
# specific to each         #
# honeywall at a site.     #
############################

# Specify the system hostname
# [Valid argument: string ]
HwHOSTNAME=roo

# Specify the system DNS domain
# [Valid argument: string ]
HwDOMAIN=localdomain

#Start the Honeywall on boot
# [Valid argument: yes | no]
HwHONEYWALL_RUN=yes

# To use a headless system.
# [Valid argument: yes | no]
HwHEADLESS=no


# This Honeywall's public IP address(es)
# [Valid argument: IP address | space delimited IP addresses]
HwHPOT_PUBLIC_IP=

# DNS servers honeypots are allowed to communicate with
# [Valid argument: IP address | space delimited IP addresses]
HwDNS_SVRS=

# To restrict DNS access to a specific honeypot or group of honeypots, list
# them here, otherwise leave this variable blank
# [Valid argument: IP address | space delimited IP addresses | blank]
HwDNS_HOST=

# The name of the externally facing network interface
# [Valid argument: eth* | br* | ppp*]
HwINET_IFACE=eth0

# The name of the internally facing network interface
# [Valid argument: eth* | br* | ppp*]
HwLAN_IFACE=eth1

# The IP internal connected to the internally facing interface
# [Valid argument: IP network in CIDR notation]
HwLAN_IP_RANGE=172.28.28.0/24

# The IP broadcast address for internal network
# [Valid argument: IP broadcast address]
HwLAN_BCAST_ADDRESS=172.28.28.255

# Enable QUEUE support to integrate with Snort-Inline filtering
# [Valid argument: yes | no]
HwQUEUE=yes

# The unit of measure for setting oubtbound connection limits
# [Valid argument: second, minute, hour, day, week, month, year]
HwSCALE=second

# The number of TCP connections per unit of measure (HwScale)
# [Valid argument: integer]
HwTCPRATE=50

# The number of UDP connections per unit of measure (HwSCALE)
# [Valid argument: integer]
HwUDPRATE=20

# The number of ICMP connections per unit of measure (HwSCALE)
# [Valid argument: integer]
HwICMPRATE=1

# The number of other IP connections per unit of measure (HwSCALE)
# [Valid argument: integer]
HwOTHERRATE=30

# Enable the SEBEK collector which delivers keystroke and files
# to a remote system even if an attacker replaces daemons such as sshd
# [Valid argument: yes | no]
HwSEBEK=yes

# Enable the Walleye Web interface.
#[Valid argument: yes | no]
HwWALLEYE=yes

# Specify whether whether to drop SEBEK packets or allow them to be sent 
# outside of the Honeynet.
# [Valid argument: ACCEPT | DROP]
HwSEBEK_FATE=DROP

# Specify the SEBEK destination host IP address
# [Valid argument: IP address]
HwSEBEK_DST_IP=172.28.102.198

# Specify the SEBEK destination port
# [Valid argument: port]
HwSEBEK_DST_PORT=1101

# Enable SEBEK logging in the Honeywall firewall logs
# [Valid argument: yes | no]
HwSEBEK_LOG=no


# Specify whether the dialog menu is to be started on login to TTY1
# [Valid argument: yes | no ]
HwMANAGE_DIALOG=yes

# Specify whether management port is to be activated on start or not.
# [Valid argument: yes | no ]
HwMANAGE_STARTUP=yes

# Specy the network interface for remote management.  If set to br0, it will 
# assign MANAGE_IP to the logical bridge interface and allow its use as a 
# management interface.  Set to none to disable the management interface.
# [Valid argument: eth* | br* | ppp* | none]
HwMANAGE_IFACE=eth2

# IP of management Interface
# [Valid argument: IP address]
HwMANAGE_IP=172.28.102.198

# Netmask of management Interface
# [Valid argument: IP netmask]
HwMANAGE_NETMASK=255.255.255.0

# Default Gateway of management Interface
# [Valid argument: IP address]
HwMANAGE_GATEWAY=172.28.102.1

# DNS Servers of management Interface
# [Valid argument: space delimited IP addresses]
HwMANAGE_DNS=202.47.142.131 203.162.7.193

# TCP ports allowed into the management interface.
# Do NOT include the SSHD port.  It will automatically be included
# [Valid argument: space delimited list of TCP ports]
HwALLOWED_TCP_IN=443

# Specify whether or not the Honeywall will restrict outbound network 
# connections to specific destination ports.  When bridge mode is utilized,
# a management interface is required to restrict outbound network connections.
# [Valid argument: yes | no]
HwRESTRICT=no

# Specity the TCP destination ports Honeypots can send network traffic to.
# [Valid argument: space delimited list of UDP ports]
HwALLOWED_TCP_OUT=22 25 43 80 443

# Specity the UDP destination ports Honeypots can send network traffic to.
# [Valid argument: space delimited list of UDP ports]
HwALLOWED_UDP_OUT=53 123

# Specify whether or not to start swatch and email alerting.
# [Valid argument: yes | no]
HwALERT=yes

# Specify email address to use for email alerting.
# [Valid argument: any email address]
HwALERT_EMAIL=liempt at mail.hut.edu.vn

# NIC Module List - Set this to the number and order you wish
# to load NIC drivers, such that you get the order you want
# for eth0, eth1, eth2, etc.
# [Valid argument: list of strings]
#
# Example: eepro100 8139too
HwNICMODLIST=

# Blacklist, Whitelist, and Fencelist features.
# [Valid argument: string ]
HwFWBLACK=/etc/blacklist.txt

# [Valid argument: string ]
HwFWWHITE=/etc/whitelist.txt

# [Valid argument: string ]
HwFWFENCE=/etc/fencelist.txt

# [Valid argument: yes | no]
HwBWLIST_ENABLE=no

# [Valid argument: yes | no]
HwFENCELIST_ENABLE=no

# The following feature allows the roo to allow attackers into the
# honeypots but they can't send packets out...
# [Valid argument: yes | no]
HwROACHMOTEL_ENABLE=no

# Disables BPF filtering based on the contents of HwHPOT_PUBLIC_IP 
# and the black and white list contained within HwFWBLACK and HwFWWHITE
# if the HwBWLIST_ENABLE is on.  Other wise, it just filters based on
# the contents of HwHPOT_PUBLIC_IP
# [Valid argument: yes | no]
HwBPF_DISABLE=yes

# This capability is not yet implemented in roo.  The variable
# has been commented out for this reason. dittrich - 02/08/05
# Options for hard drive tuning (if needed).
# [Valid argument: string ]
# Example: -c 1 -m 16 -d
HwHWPARMOPTS=

# Should we swap capslock and control keys?
HwSWAP_CAPSLOCK_CONTROL=no

##########################################################################
# Snort Rule Update Variables
##########################################################################
# Enable or disable automatic snort rule updates
# [Valid argument: yes | no]
HwRULE_ENABLE=yes

# Automatically restart snort and snort_inline when automatic updates are 
# applied and when calls to update IDS or IPs rules?
# [Valid argument: yes | no]
HwSNORT_RESTART=yes

# Oink Code - Required by Oinkmaster to retrieve VRT rule updates
# See: /hw/docs/README.snortrules or 
#      http://www.honeynet.org/tools/cdrom/roo/manual/
# for instructions on how to obtain it (Free registration).
# [Valid argument: ~40 char alphanum string]
HwOINKCODE=a7a0ac0d6e14a691882eab106f27be4bc76fa28f

# Day automatic snort rule updates should be retrieved (for weekly updates)
# For daily updates, set this to ""
# [Valid argument: sun | mon | tue | wed | thu | fri | sat]
HwRULE_DAY=sat

# Hour of day snort rules updates should be retrieved
# [Valid argument: 0 | 1 | 2 | ... | 23] (0 is Midnight, 12 is noon, 23 is 11PM)
HwRULE_HOUR=3

##########################################################################
# Pcap and DB data retention settings
# Currenrly ONLY used when Pcap/DB purge scripts are called
# Pcap/DB data *is NOT* automatically purged
##########################################################################
# Days to retain Pcap data.  This will be used *IF* /dlg/config/purgePcap.pl 
# is called with NO arguments.
# NOTE: Override this by supplying the number of days as an argument ala:
# /dlg/config/purgePcap.pl <days>
HwPCAPDAYS=45

# Days to retain DB data.  This will be used *IF* /dlg/config/purgeDB.pl 
# is called with NO arguments.
# NOTE: Override this by supplying the number of days as an argument ala:
# /dlg/config/purgeDB.pl <days>
HwDBDAYS=180

##########################################################################
# NAT mode is no longer supported.
# Don't mess with anything below here unless you know what you're
# doing! Don't say we didn't warn you, and don't try logging a bugzilla
# request to clean up the mess!
##########################################################################

# Space delimited list of Honeypot ips
# NOTE: MUST HAVE SAME NUMBER OF IPS AS PUBLIC_IP VARIABLE.
# [Valid argument: IP address]
#HwHPOT_PRIV_IP_FOR_NAT=

# Specify the IP address of the honeywall's internal (i.e. gateway
# IP for NAT) IP address.  This is only used in NAT mode.
# [Valid argument: IP address ex: 192.168.10.1]
#HwPRIV_IP_FOR_NAT=


# Specify the IP netmask for interface alises.  One aliases will be created
# on the external interface for each Honeypot when in NAT mode only.
# [Valid argument: IP netmask]
#HwALIAS_MASK_FOR_NAT=255.255.255.0



# End of honeywall.conf parameters

#
# Newly defined variables as of Tue Jun 19 10:08:33 GMT 2007
#
HwHFLOW_DB=1.1


More information about the Honeywall mailing list