One of the fundamental differences between Snort 2 and Snort 3 concerns configuration
related to networks and ports. Here is a brief review of Snort 2 configuration for
network and service related components:

* Snort's configuration has a default policy and optional policies selected by
  VLAN or network (with config binding).

* Each policy contains a user defined set of preprocessor configurations.

* Each preprocessor has a default configuration and some support non-default
  configurations selected by network.

* Most preprocessors have port configurations.

* The default policy may also contain a list of ports to ignore.

In Snort 3, the above configurations are done in a single module called the
binder.  Here is an example:

    binder =
    {
        -- allow all tcp port 22:
        -- (similar to Snort 2 config ignore_ports)
        { when = { proto = 'tcp', ports = '22' }, use = { action = 'allow' } },

        -- select a config file by vlan
        -- (similar to Snort 2 config binding by vlan)
        { when = { vlans = '1024' }, use = { file = 'vlan.lua' } },

        -- use a non-default HTTP inspector for port 8080:
        -- (similar to a Snort 2 targeted preprocessor config)
        { when = { nets = '192.168.0.0/16', proto = 'tcp', ports = '8080' },
          use = { name = 'alt_http', type = 'http_inspect' } },

        -- use the default inspectors:
        -- (similar to a Snort 2 default preprocessor config)
        { when = { proto = 'tcp' }, use = { type = 'stream_tcp' } },
        { when = { service = 'http' }, use = { type = 'http_inspect' } },

        -- figure out which inspector to run automatically:
        { use = { type = 'wizard' } }
    }

Bindings are evaluated when a session starts and again if and when service is
identified on the session.  Essentially, the bindings are a list of when-use
rules evaluated from top to bottom.  The first matching network and service
configurations are applied.  binder.when can contain any combination of
criteria and binder.use can specify an action, config file, or inspector
configuration.

