Snort mailing list archives
Re: New snort.conf
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 30 Dec 2010 00:57:40 +0000
On 12/29/2010 9:26 PM, Crook, Parker wrote:
So I finally made the push to start migrating everything to 2.9 in its latest iteration (2.9.0.3) as things have cooled down in both of the environments I run (CentOS & Debian). After compilation I started migrating and found the below snippet as a header in my new snort.conf file. Great information -- Well done guys! #-------------------------------------------------- # VRT Rule Packages Snort.conf # # For more information visit us at: # http://www.snort.org Snort Website # http://vrt-sourcefire.blogspot.com/ Sourcefire VRT Blog # # Mailing list Contact: snort-sigs () lists sourceforge net # False Positive reports: fp () sourcefire com # Snort bugs: bugs () snort org # # Compatible with Snort Versions: # VERSIONS : 2.9.0.3 # # Snort build options: # OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 #-------------------------------------------------- I'm really excited to see the snort build options listed in here, as it shows me what is really going on when I run: ./configure --enable-ipv6 --enable-decoder-preprocessor-rules --enable-sourcefire --enable-targetbased --enable-perfprofiling --enable-reload --enable-dynamicplugin After being puzzled for a minute I went through the configure options and noted that dynamicplugin is enabled by default, so I can see why that is left out, so I suppose the -enable-sourcefire turns on the following: --enable-gre --enable-mpls --enable-ppm --enable-zlib --enable-active-response --enable-normalizer --enable-react --enable-flexresp3 Is that a correct assessment? Thanks, Parker P.S. Perhaps consider adding a line in the "For more information visit us at" section pointing to the new Snort Blog?
FYI, That info (compile options) has been in the snort.conf that was distributed with the VRT version of the rules for some time. It just wasn't in the snort.conf that was distributed with the source, however they have fixed that and the source now also has the correct snort.conf version. There was also a bunch of differences in how http_inspect was configured. More info here: http://trojanedbinaries.com/blog/?p=212 Everyone should really review their snort.conf and if you have the old stuff still lingering that you were using as a skeleton conf, you should trash it and go with the new source or the existing VRT conf to make sure things are configured correctly. -- Eoin ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New snort.conf Crook, Parker (Dec 29)
- Re: New snort.conf Joel Esler (Dec 29)
- Re: New snort.conf Crook, Parker (Dec 30)
- Re: New snort.conf Joel Esler (Dec 30)
- Re: New snort.conf Crook, Parker (Dec 30)
- Re: New snort.conf Eoin Miller (Dec 29)
- Re: New snort.conf Joel Esler (Dec 29)