Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf

["Weir, Jason" <jason.weir () nhrs org>]

Looks like its already there

 

http://labs.snort.org/snort/2930/snort.2930.conf

 

-J

 

From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Friday, July 20, 2012 11:20 AM
To: Michael Steele
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 2.9.3.0 - Some groups of rules missing
fromsnort.conf

 

The 2.9.3.0 snort.conf is almost exactly the same (except for the
version number at the top of the snort.conf) as the 2.9.2.3 conf.

 

As always, you shouldn't use the snort.conf that ships in the tarball,
you should use the snort.confs here:

http://www.snort.org/vrt/snort-conf-configurations/

 

I'll work on getting 2.9.3.0's up today.

 

--

Joel Esler

Senior Research Engineer, VRT

OpenSource Community Manager

Sourcefire

 

On Jul 19, 2012, at 7:16 PM, Michael Steele <michaels () winsnort com>
wrote:





I noticed doing a diff of the 2.9.2.3 and 2.9.3.0 snort.conf that there
are
11 groups of rules omitted from the include statement (see the missing
ones
below). Usually all the rule groups listed under Step 7 of the
snort.conf
are included in the rule tarball.

I don't have access to the 2930 rule tarball so I'm not sure if those 11
groups have been pulled from the tarball?

include $RULE_PATH/file-office.rules
include $RULE_PATH/file-other.rules
include $RULE_PATH/file-pdf.rules
include $RULE_PATH/indicator-compromise.rules
include $RULE_PATH/indicator-obfuscation.rules
include $RULE_PATH/policy-multimedia.rules
include $RULE_PATH/policy-other.rules
include $RULE_PATH/policy-social.rules
include $RULE_PATH/pua-p2p.rules
include $RULE_PATH/pua-toolbars.rules
include $RULE_PATH/server-mail.rules


Also, is the below a clerical error in the snort.conf, or is that
correct?

Snort 2.9.2.3 -> preprocessor ftp_telnet: global inspection_type
stateful
encrypted_traffic no check_encrypted

Snort 2.9.3 ---> preprocessor ftp_telnet: global inspection_type
stateful
encrypted_traffic no

Kindest regards,
Michael...


------------------------------------------------------------------------
------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond.
Discussions 
will include endpoint security, mobile security and the latest in
malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!