$OpenBSD: patch-etc_snort_conf,v 1.12 2014/06/04 03:17:12 lteo Exp $

reputation preprocessor disabled, still experimental

--- etc/snort.conf.orig	Thu Apr  3 17:25:10 2014
+++ etc/snort.conf	Mon Jun  2 00:13:35 2014
@@ -101,13 +101,13 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.1
 # Path to your rules files (this can be a relative path)
 # Note for Windows users:  You are advised to make this an absolute path,
 # such as:  c:\snort\rules
-var RULE_PATH ../rules
-var SO_RULE_PATH ../so_rules
-var PREPROC_RULE_PATH ../preproc_rules
+var RULE_PATH ${SYSCONFDIR}/snort/rules
+var SO_RULE_PATH ${SYSCONFDIR}/snort/so_rules
+var PREPROC_RULE_PATH ${SYSCONFDIR}/snort/preproc_rules
 
 # If you are using reputation preprocessor set these
-var WHITE_LIST_PATH ../rules
-var BLACK_LIST_PATH ../rules
+var WHITE_LIST_PATH ${SYSCONFDIR}/snort/rules
+var BLACK_LIST_PATH ${SYSCONFDIR}/snort/rules
 
 ###################################################
 # Step #2: Configure the decoder.  For more information, see README.decode
@@ -138,7 +138,11 @@ config disable_ipopt_alerts
 # config enable_decode_oversized_drops
 
 # Configure IP / TCP checksum mode
-config checksum_mode: all
+# OpenBSD delays the IP and protocol checksum calculation for outbound packets
+# until late in the outbound path.  However, this causes Snort to think it is
+# seeing packets with bad checksums and discard them and never trigger alerts.
+# To prevent this, turn off Snort's checksum verification subsystem.
+config checksum_mode: none
 
 # Configure maximum number of flowbit references.  For more information, see README.flowbits
 # config flowbits_size: 64
@@ -154,6 +158,7 @@ config checksum_mode: all
 #
 # config daq: <type>
 # config daq_dir: <dir>
+config daq_dir: ${PREFIX}/lib/daq/
 # config daq_mode: <mode>
 # config daq_var: <var>
 #
@@ -499,12 +504,12 @@ preprocessor dnp3: ports { 20000 } \
    check_crc
 
 # Reputation preprocessor. For more information see README.reputation
-preprocessor reputation: \
-   memcap 500, \
-   priority whitelist, \
-   nested_ip inner, \
-   whitelist $WHITE_LIST_PATH/white_list.rules, \
-   blacklist $BLACK_LIST_PATH/black_list.rules 
+#preprocessor reputation: \
+#   memcap 500, \
+#   priority whitelist, \
+#   nested_ip inner, \
+#   whitelist $WHITE_LIST_PATH/white_list.rules, \
+#   blacklist $BLACK_LIST_PATH/black_list.rules 
 
 ###################################################
 # Step #6: Configure output plugins
@@ -538,8 +543,9 @@ include reference.config
 ###################################################
 
 # site specific rules
-include $RULE_PATH/local.rules
+#include $RULE_PATH/local.rules
 
+# Official Sourcefire VRT rules from http://www.snort.org/snort-rules/
 include $RULE_PATH/app-detect.rules
 include $RULE_PATH/attack-responses.rules
 include $RULE_PATH/backdoor.rules
@@ -655,6 +661,9 @@ include $RULE_PATH/web-iis.rules
 include $RULE_PATH/web-misc.rules
 include $RULE_PATH/web-php.rules
 include $RULE_PATH/x11.rules
+
+# Emerging Threats rules from http://rules.emergingthreats.net/open/snort-2.9.0/
+# include $RULE_PATH/emerging.conf
 
 ###################################################
 # Step #8: Customize your preprocessor and decoder alerts
