Rob McMillen wrote:
That is right. In order to get the packet from the firewall and
decide the packet's destiny, you must do it as root.
As far as the inline logging, I would have to look into it as well.
What version honeywall are you using?
Rob
On 6/27/07, Patrick McCarty <[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, Jun 27, 2007 at 03:44:24PM -0400, Earl wrote:
> I don't believe it can drop privs becaus eit needs to be able to
> drop packets and to restes and other rootly stuff. Rob/Patrick?
IIRC, it needs root privs because of the interface to the userspace
libipq.
Otherwise, any non-priv process could accept, modify, or reject any
packet that was sent to userspace from the iptables -j QUEUE target.
There may be other reasons as well, its been a bit since I've looked
at that particular piece.
- -- patrick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFGgs3opPYocrgNjZgRAlazAJ4rUjODRmxd3jaKdIPyo2SKsa77WQCdHd+F
E5QAW41ANhjc0fUBdy10qSQ=
=B2l3
-----END PGP SIGNATURE-----
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
Dear all,
Initially, I installed Honeywall 1.1 and i encountered the same problem
with snort_inline log.
I can not view it.
After that I changed to Honeywall 1.2 and I still can not see anything
in snort_inline log.
I'm sure that snort_inline is firing and not outbound rate limiting.
My snort run normally, so I compare the user priv between snort and
snort_inline
[EMAIL PROTECTED] ~]# ps -ef | grep snort
snort 28305 1 0 00:04 ? 00:00:07 snort-plain -D -c
/etc/snort/snort.conf -i eth1 -l /var/log/snort/20070628 -u snort -t
/var/log/snort -N
root 30948 1 85 09:52 ? 00:00:05 snort-inline -D -c
/etc/snort_inline/snort_inline.conf -Q -l /var/log/snort_inline/20070628
-u snort -t /var/log/snort_inline
Snort_inline runs with "root" priv only, doesn't it?
Then I decided to change the mod of /var/log/snort_inline to 777
and the owner of /var/log/snort_inline to snort.
But it didn't solve anything.
I'll attach my "honeywall.conf", "snort_inline.conf"
# Honeynet snort_inline configuration file
# Version 0.6
# Last modified 22 September, 2005
#
# Standard Snort configuration file modified for inline
# use. Most preprocessors currently do not work in inline
# mode, as such they are not included.
#
### Network variables
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var DNS_SERVERS any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
# Ports you run web servers on
#
# Please note: [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80
# Ports you do oracle attacks on
var ORACLE_PORTS 1521
# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of servers.
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop generic decode drops:
#
#config disable_decode_drops
#
# Stop Alerts on experimental TCP options
#
#config disable_tcpopt_experimental_alerts
#
# Stop drops on experimental TCP options
#
#config disable_tcpopt_experimental_drops
#
# Stop Alerts on obsolete TCP options
#
#config disable_tcpopt_obsolete_alerts
#
# Stop drops on obsolete TCP options
#
#config disable_tcpopt_obsolete_drops
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network. If this is normal
# behavior for your network, disable the next option.
#
#config disable_tcpopt_ttcp_alerts
#
# Stop drops on T/TCP alerts
#
#config disable_ttcp_drops
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop drops on all other TCPOption type events:
#
#config disable_tcpopt_drops
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
#
# Stop drops on invalid ip options
#
#config disable_ipopt_drops
# Configure Inline Resets
# ========================
#
# If running an iptables firewall with snort_inline we can now perform resets
# via a physical device we grab the indev from iptables and use this for the
# interface on which to send resets. This config option takes an argument for
# the src mac address you want to use in the reset packet. This way the bridge
# can remain stealthy. If the src mac option is not set we use the mac address
# of the indev device. If we don't set this option we will default to sending
# resets via raw socket, which needs an ipaddress to be assigned to the int.
#
config layer2resets
### Let's make sure we don't let bad packets out simply cause
### they have bad checksums. If this is not here, packets with
### bad checksums could get out.
config checksum_mode: none
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort_inline/rules
### Preprocessors
# usage guidelines: if the plugin normalizes the packet so that the
# detection engine can better interpret the data, the plugin can be
# used with the snort_inline safely. If the plugin itself makes
# the alert decisions, then we have to modify it to drop packets.
# Done by IPTables. Iptables assembles fragments when we use connection
# tracking; therefore, we don't have to use frag2
# preprocessor frag2
# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term, many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 0 hash 2
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat stick/snot
# against TCP rules. Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc. Can statefully detect various portscan
# types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and generate alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this tends to be very
# noisy because there are a lot of crappy ip stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly noisy mitigation of
# overlapping sequences.
#
#
# min_ttl [number] - set a minium ttl that snort will accept to
# stream reassembly
#
# ttl_limit [number] - differential of the initial ttl on a session versus
# the normal that someone may be playing games.
# Routing flap may cause lots of false positives.
#
# keepstats [machine|binary] - keep session statistics, add "machine" to
# get them in a flat format for machine reading, add
# "binary" to get them in a unified binary output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to [number] seconds,
# default is 30 seconds
# memcap [number] - limit stream4 memory usage to [number] bytes
# log_flushed_streams - if an event is detected on a stream this option will
# cause all packets that are stored in the stream4
# packet buffers to be flushed to disk. This only
# works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap
preprocessor stream4: disable_evasion_alerts
# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See below),
# Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection only
# serveronly - reassemble traffic for the server side of a connection only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of stream4
# ports [list] - use the space separated list of ports in [list], "all"
# will turn on reassembly for all ports, "default" will turn
# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
# and 513
preprocessor stream4_reassemble: both
# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global \
iis_unicode_map /etc/snort/unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500 \
no_alerts
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
preprocessor rpc_decode: 111 32771
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
#
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected
preprocessor bo
# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
# traffic. It works in much the same way as the http_decode preprocessor,
# searching for traffic that breaks up the normal data stream of a protocol and
# replacing it with a normalized representation of that traffic so that the
# "content" pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID currently.
preprocessor telnet_decode
# Flow-Portscan: detect a variety of portscans
# ---------------------------------------
# Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan
to
# work.
#
# This module detects portscans based off of flow creation in the flow
# preprocessors. The goal is to catch catch one->many hosts and one->many
# ports scans.
#
# Flow-Portscan has numerous options available, please read
# README.flow-portscan for help configuring this option.
# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 flow-portscan: Fixed Scale Scanner Limit Exceeded
# 2 flow-portscan: Sliding Scale Scanner Limit Exceeded
# 3 flow-portscan: Fixed Scale Talker Limit Exceeded
# 4 flow-portscan: Sliding Scale Talker Limit Exceeded
# preprocessor flow-portscan: \
# talker-sliding-scale-factor 0.50 \
# talker-fixed-threshold 30 \
# talker-sliding-threshold 30 \
# talker-sliding-window 20 \
# talker-fixed-window 30 \
# scoreboard-rows-talker 30000 \
# server-watchnet [10.2.0.0/30] \
# server-ignore-limit 200 \
# server-rows 65535 \
# server-learning-time 14400 \
# server-scanner-limit 4 \
# scanner-sliding-window 20 \
# scanner-sliding-scale-factor 0.50 \
# scanner-fixed-threshold 15 \
# scanner-sliding-threshold 40 \
# scanner-fixed-window 15 \
# scoreboard-rows-scanner 30000 \
# src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
# dst-ignore-net [10.0.0.0/30] \
# alert-mode once \
# output-mode msg \
# tcp-penalties on
### Logging alerts of outbound attacks
output alert_syslog: log_auth log_alert
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast
output alert_unified: filename /var/log/snort_inline/snort_inline_unified,
limit 128
### If you want to log the contents of the dropped packets, remove comment
output log_tcpdump: tcpdump.log
# Include classification & priority settings
include /etc/snort/classification.config
include /etc/snort/reference.config
# Rule sets are now managed through the Walleye UI, please use
# the interface for addition/removal/modifications of rules. By
# default, the user interface maintains ALL the rules in a rules
# databases, then includes all the rules you enable in the rule
# files below. If you are not using a specific rule file below,
# then that rules file will be empty. Do NOT comment out unused
# rules files.
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/classification.config
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/info.rules
include $RULE_PATH/local.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/reference.config
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules
#####################################################################
#
# $Id: honeywall.conf 4552 2006-10-17 01:06:51Z esammons $
#
#############################################
#
# Copyright (C) <2005> <The Honeynet Project>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA
#
#############################################
#
# This file is the Honeywall import file (aka "honeywall.conf").
# It is a list of VARIABLE=VALUE tuples (including comments as
# necessary, # such as this) and whitespace lines.
#
# note: DO NOT surround values in quotation marks
#
#####################################################################
############################
# Site variables that are #
# global to all honeywalls #
# at a site. #
############################
# Specify the IP address(es) and/or networks that are allowed to connect
# to the management interface. Specify any to allow unrestricted access.
# [Valid argument: IP address(es) | IP network(s) in CIDR notation | any]
HwMANAGER=any
# Specify the port on which SSHD will listen
# NOTE: Automatically aded to the list of TCP ports allowed in by IPTables
# [Valid argument: TCP (port 0 - 65535)]
HwSSHD_PORT=22
# Specify whether or not root can login remotely over SSH
# [Valid argument: yes | no]
HwSSHD_REMOTE_ROOT_LOGIN=yes
# NTP Time server(s)
# [Valid argument: IP address]
HwTIME_SVR=
############################
# Local variables that are #
# specific to each #
# honeywall at a site. #
############################
# Specify the system hostname
# [Valid argument: string ]
HwHOSTNAME=roo
# Specify the system DNS domain
# [Valid argument: string ]
HwDOMAIN=localdomain
#Start the Honeywall on boot
# [Valid argument: yes | no]
HwHONEYWALL_RUN=yes
# To use a headless system.
# [Valid argument: yes | no]
HwHEADLESS=no
# This Honeywall's public IP address(es)
# [Valid argument: IP address | space delimited IP addresses]
HwHPOT_PUBLIC_IP=
# DNS servers honeypots are allowed to communicate with
# [Valid argument: IP address | space delimited IP addresses]
HwDNS_SVRS=
# To restrict DNS access to a specific honeypot or group of honeypots, list
# them here, otherwise leave this variable blank
# [Valid argument: IP address | space delimited IP addresses | blank]
HwDNS_HOST=
# The name of the externally facing network interface
# [Valid argument: eth* | br* | ppp*]
HwINET_IFACE=eth0
# The name of the internally facing network interface
# [Valid argument: eth* | br* | ppp*]
HwLAN_IFACE=eth1
# The IP internal connected to the internally facing interface
# [Valid argument: IP network in CIDR notation]
HwLAN_IP_RANGE=172.28.28.0/24
# The IP broadcast address for internal network
# [Valid argument: IP broadcast address]
HwLAN_BCAST_ADDRESS=172.28.28.255
# Enable QUEUE support to integrate with Snort-Inline filtering
# [Valid argument: yes | no]
HwQUEUE=yes
# The unit of measure for setting oubtbound connection limits
# [Valid argument: second, minute, hour, day, week, month, year]
HwSCALE=second
# The number of TCP connections per unit of measure (HwScale)
# [Valid argument: integer]
HwTCPRATE=50
# The number of UDP connections per unit of measure (HwSCALE)
# [Valid argument: integer]
HwUDPRATE=20
# The number of ICMP connections per unit of measure (HwSCALE)
# [Valid argument: integer]
HwICMPRATE=1
# The number of other IP connections per unit of measure (HwSCALE)
# [Valid argument: integer]
HwOTHERRATE=30
# Enable the SEBEK collector which delivers keystroke and files
# to a remote system even if an attacker replaces daemons such as sshd
# [Valid argument: yes | no]
HwSEBEK=yes
# Enable the Walleye Web interface.
#[Valid argument: yes | no]
HwWALLEYE=yes
# Specify whether whether to drop SEBEK packets or allow them to be sent
# outside of the Honeynet.
# [Valid argument: ACCEPT | DROP]
HwSEBEK_FATE=DROP
# Specify the SEBEK destination host IP address
# [Valid argument: IP address]
HwSEBEK_DST_IP=172.28.102.198
# Specify the SEBEK destination port
# [Valid argument: port]
HwSEBEK_DST_PORT=1101
# Enable SEBEK logging in the Honeywall firewall logs
# [Valid argument: yes | no]
HwSEBEK_LOG=no
# Specify whether the dialog menu is to be started on login to TTY1
# [Valid argument: yes | no ]
HwMANAGE_DIALOG=yes
# Specify whether management port is to be activated on start or not.
# [Valid argument: yes | no ]
HwMANAGE_STARTUP=yes
# Specy the network interface for remote management. If set to br0, it will
# assign MANAGE_IP to the logical bridge interface and allow its use as a
# management interface. Set to none to disable the management interface.
# [Valid argument: eth* | br* | ppp* | none]
HwMANAGE_IFACE=eth2
# IP of management Interface
# [Valid argument: IP address]
HwMANAGE_IP=172.28.102.198
# Netmask of management Interface
# [Valid argument: IP netmask]
HwMANAGE_NETMASK=255.255.255.0
# Default Gateway of management Interface
# [Valid argument: IP address]
HwMANAGE_GATEWAY=172.28.102.1
# DNS Servers of management Interface
# [Valid argument: space delimited IP addresses]
HwMANAGE_DNS=202.47.142.131 203.162.7.193
# TCP ports allowed into the management interface.
# Do NOT include the SSHD port. It will automatically be included
# [Valid argument: space delimited list of TCP ports]
HwALLOWED_TCP_IN=443
# Specify whether or not the Honeywall will restrict outbound network
# connections to specific destination ports. When bridge mode is utilized,
# a management interface is required to restrict outbound network connections.
# [Valid argument: yes | no]
HwRESTRICT=no
# Specity the TCP destination ports Honeypots can send network traffic to.
# [Valid argument: space delimited list of UDP ports]
HwALLOWED_TCP_OUT=22 25 43 80 443
# Specity the UDP destination ports Honeypots can send network traffic to.
# [Valid argument: space delimited list of UDP ports]
HwALLOWED_UDP_OUT=53 123
# Specify whether or not to start swatch and email alerting.
# [Valid argument: yes | no]
HwALERT=yes
# Specify email address to use for email alerting.
# [Valid argument: any email address]
[EMAIL PROTECTED]
# NIC Module List - Set this to the number and order you wish
# to load NIC drivers, such that you get the order you want
# for eth0, eth1, eth2, etc.
# [Valid argument: list of strings]
#
# Example: eepro100 8139too
HwNICMODLIST=
# Blacklist, Whitelist, and Fencelist features.
# [Valid argument: string ]
HwFWBLACK=/etc/blacklist.txt
# [Valid argument: string ]
HwFWWHITE=/etc/whitelist.txt
# [Valid argument: string ]
HwFWFENCE=/etc/fencelist.txt
# [Valid argument: yes | no]
HwBWLIST_ENABLE=no
# [Valid argument: yes | no]
HwFENCELIST_ENABLE=no
# The following feature allows the roo to allow attackers into the
# honeypots but they can't send packets out...
# [Valid argument: yes | no]
HwROACHMOTEL_ENABLE=no
# Disables BPF filtering based on the contents of HwHPOT_PUBLIC_IP
# and the black and white list contained within HwFWBLACK and HwFWWHITE
# if the HwBWLIST_ENABLE is on. Other wise, it just filters based on
# the contents of HwHPOT_PUBLIC_IP
# [Valid argument: yes | no]
HwBPF_DISABLE=yes
# This capability is not yet implemented in roo. The variable
# has been commented out for this reason. dittrich - 02/08/05
# Options for hard drive tuning (if needed).
# [Valid argument: string ]
# Example: -c 1 -m 16 -d
HwHWPARMOPTS=
# Should we swap capslock and control keys?
HwSWAP_CAPSLOCK_CONTROL=no
##########################################################################
# Snort Rule Update Variables
##########################################################################
# Enable or disable automatic snort rule updates
# [Valid argument: yes | no]
HwRULE_ENABLE=yes
# Automatically restart snort and snort_inline when automatic updates are
# applied and when calls to update IDS or IPs rules?
# [Valid argument: yes | no]
HwSNORT_RESTART=yes
# Oink Code - Required by Oinkmaster to retrieve VRT rule updates
# See: /hw/docs/README.snortrules or
# http://www.honeynet.org/tools/cdrom/roo/manual/
# for instructions on how to obtain it (Free registration).
# [Valid argument: ~40 char alphanum string]
HwOINKCODE=a7a0ac0d6e14a691882eab106f27be4bc76fa28f
# Day automatic snort rule updates should be retrieved (for weekly updates)
# For daily updates, set this to ""
# [Valid argument: sun | mon | tue | wed | thu | fri | sat]
HwRULE_DAY=sat
# Hour of day snort rules updates should be retrieved
# [Valid argument: 0 | 1 | 2 | ... | 23] (0 is Midnight, 12 is noon, 23 is 11PM)
HwRULE_HOUR=3
##########################################################################
# Pcap and DB data retention settings
# Currenrly ONLY used when Pcap/DB purge scripts are called
# Pcap/DB data *is NOT* automatically purged
##########################################################################
# Days to retain Pcap data. This will be used *IF* /dlg/config/purgePcap.pl
# is called with NO arguments.
# NOTE: Override this by supplying the number of days as an argument ala:
# /dlg/config/purgePcap.pl <days>
HwPCAPDAYS=45
# Days to retain DB data. This will be used *IF* /dlg/config/purgeDB.pl
# is called with NO arguments.
# NOTE: Override this by supplying the number of days as an argument ala:
# /dlg/config/purgeDB.pl <days>
HwDBDAYS=180
##########################################################################
# NAT mode is no longer supported.
# Don't mess with anything below here unless you know what you're
# doing! Don't say we didn't warn you, and don't try logging a bugzilla
# request to clean up the mess!
##########################################################################
# Space delimited list of Honeypot ips
# NOTE: MUST HAVE SAME NUMBER OF IPS AS PUBLIC_IP VARIABLE.
# [Valid argument: IP address]
#HwHPOT_PRIV_IP_FOR_NAT=
# Specify the IP address of the honeywall's internal (i.e. gateway
# IP for NAT) IP address. This is only used in NAT mode.
# [Valid argument: IP address ex: 192.168.10.1]
#HwPRIV_IP_FOR_NAT=
# Specify the IP netmask for interface alises. One aliases will be created
# on the external interface for each Honeypot when in NAT mode only.
# [Valid argument: IP netmask]
#HwALIAS_MASK_FOR_NAT=255.255.255.0
# End of honeywall.conf parameters
#
# Newly defined variables as of Tue Jun 19 10:08:33 GMT 2007
#
HwHFLOW_DB=1.1
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
