Honeypots mailing list archives
Packet Replace Mode
From: Kerry Forbes <surfsouth () gmail com>
Date: 8 Mar 2005 00:27:07 -0000
Hey there... I have a fully functional GenII honeynet, with honeywall and 2 honeypots. Basically based on the Know Your Enemy second edition book. It has been running for over 2 weeks and the snort inline rules are set to the default Packet Drop Mode (PDM), but Im ready now to change my inline rules to packet replace mode.. PRM... and I've used brian caswell's perl script snortconfig, and havn't had any luck. Basically it wont accept my config file I created. My question is to anyone who's gone ahead and changed their rules to PRM, how exactly did you get them changed without doing it all by hand. Any help would really be apreciated. Thanks in advance Kerry PS... Here is the config file I madeup just as suggested in the manual. [files] replace_or_drop: dos.rules, ddos.rules, backdoor.rules, exploit.rules, web-attacks.rules, virus.rules, shellcode.rules, mysql.rules, sql.rules, attack-responses.rules, misc.rules, imap.rules, pop2.rules, pop3.rules, snmp.rules, web-cgi.rules, web-client.rules, web-coldfusion.rules, web-frontpage.rules, web-iis.rules, web-misc.rules, web-php.rules log: deleted.rules, scan.rules, chat.rules, netbios.rules, info.rules, finger.rules, ftp.rules, icmp-info.rules, multimedia.rules, policy.rules, porn.rules, rservices.rules, telnet.rules, tftp.rules, ftp.rules drop: p2p.rules, x11.rules
Current thread:
- Packet Replace Mode Kerry Forbes (Mar 07)