VRT Rule Update for 08/23/2011: A Special Note about this release.

[Joel Esler <jesler () sourcefire com>]

Snort Community -- 

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 
57 new rules and make modifications to 153 additional rules.

This rule package also includes support for the 2.9.1.0 version.

The following changes are made to the Snort.conf in this release, with so many changes we recommend rebuilding your 
snort.conf with a 2.9.1.0 template:

Updated HTTP_PORTS variable:
portvar HTTP_PORTS 
[80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]

New SIP_PORTS variable
portvar SIP_PORTS [5060,5061,5600]

New IP Blacklist variables:
var WHITE_LIST_PATH rules/
var BLACK_LIST_PATH rules/

New PAF configuration line (VERY IMPORTANT!)
config paf_max: 16000

Updated stream5 configuration:
ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 
7907 7001 7145 7510 7802 7777 7779 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243 8280 8800 8888 
8899 9080 9090 9091 9443 9999 11371 55555

Updated HTTP_INSPECT configuration lines:
http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD 
DELETE TRACE TRACK CONNECT SOURCE }
and
ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 
8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 }

Updated SMTP preprocessor configuration lines:
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_Depth 0 \
log_mailfrom \
log_rcptto \
log_filename \
log_email_hdrs

Finally, new preprocessor configurations:

# SIP Session Initiation Protocol preprocessor. For more information see README.sip
preprocessor sip: max_sessions 40000, \
ports { 5060 5061 5600 }, \
methods { invite \
cancel \
ack \
bye \
register \
options \
refer \
subscribe \
update \
join \
info \
message \
notify \
benotify \
do \
qauth \
sprack \
publish \
service \
unsubscribe \
prack }, \
max_uri_len 512, \
max_call_id_len 80, \
max_requestName_len 20, \
max_from_len 256, \
max_to_len 256, \
max_via_len 1024, \
max_contact_len 512, \
max_content_len 2048 

# IMAP preprocessor. For more information see README.imap
preprocessor imap: \
ports { 143 } \
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_depth 0

# POP preprocessor. For more information see README.pop
preprocessor pop: \
ports { 110 } \
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_depth 0

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/white_list.rules


The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, netbios, policy, smtp, 
specific-threats, spyware-put, sql and web-misc rule sets to provide coverage for emerging threats from these 
technologies.

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!