Managing multiple policies and configurations
We discussed the stream_tcp.policy configuration parameter in the Configuring your environment section. We saw how the default setting for the parameter was bsd and how it should be changed to windows when the environment contains Windows machines. However, in reality, we often encounter environments where the network contains a mix of multiple operating systems. In such cases, the stream_tcp module must perform TCP stream reassembly operating as Windows does, when the endpoint machine is Windows, and as BSD when the endpoint machine is BSD. This requires Snort to have multiple configurations and policies.
This is made possible using the Binder inspector, which is a special inspector in Snort 3. We will discuss the Binder inspector in Chapter 8.
Consider a network where a subset of the network (192.168.0.0/16) consists of BSD machines:
binder =
{
{ when = { nets = '192.168.0.0/16', proto = 'tcp'...
