Snort mailing list archives
Re: [Snort-Sigs] VRT Rule Update for 08/23/2011: A Special Note about this release.
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 24 Aug 2011 14:40:12 -0400
Yesterday's VRT Subscriber release does have the snort.conf in it. Tomorrow's release will have it as well with some minor updates. Joel On Wed, Aug 24, 2011 at 2:03 PM, Miguel Alvarez <miguellvrz9 () gmail com>wrote:
Thank you, Joel. Is there a snort.conf that contains all of these updates? It doesn't look as if those bundled with either yesterday's VRT release or the 2.9.1 tarball do. Thank you very much! On Tue, Aug 23, 2011 at 2:34 PM, Joel Esler <jesler () sourcefire com> wrote:Snort Community -- Join us as we welcome the introduction of the newest rule release fortoday from the VRT. In this release we introduce 57 new rules and make modifications to 153 additional rules.This rule package also includes support for the 2.9.1.0 version. The following changes are made to the Snort.conf in this release, with somany changes we recommend rebuilding your snort.conf with a 2.9.1.0 template:Updated HTTP_PORTS variable: portvar HTTP_PORTS[80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]New SIP_PORTS variable portvar SIP_PORTS [5060,5061,5600] New IP Blacklist variables: var WHITE_LIST_PATH rules/ var BLACK_LIST_PATH rules/ New PAF configuration line (VERY IMPORTANT!) config paf_max: 16000 Updated stream5 configuration: ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 12201414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802 7777 7779 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555Updated HTTP_INSPECT configuration lines: http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFYPOLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE }and ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 37024343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 }Updated SMTP preprocessor configuration lines: b64_decode_depth 0 \ qp_decode_depth 0 \ bitenc_decode_depth 0 \ uu_decode_Depth 0 \ log_mailfrom \ log_rcptto \ log_filename \ log_email_hdrs Finally, new preprocessor configurations: # SIP Session Initiation Protocol preprocessor. For more information seeREADME.sippreprocessor sip: max_sessions 40000, \ ports { 5060 5061 5600 }, \ methods { invite \ cancel \ ack \ bye \ register \ options \ refer \ subscribe \ update \ join \ info \ message \ notify \ benotify \ do \ qauth \ sprack \ publish \ service \ unsubscribe \ prack }, \ max_uri_len 512, \ max_call_id_len 80, \ max_requestName_len 20, \ max_from_len 256, \ max_to_len 256, \ max_via_len 1024, \ max_contact_len 512, \ max_content_len 2048 # IMAP preprocessor. For more information see README.imap preprocessor imap: \ ports { 143 } \ b64_decode_depth 0 \ qp_decode_depth 0 \ bitenc_decode_depth 0 \ uu_decode_depth 0 # POP preprocessor. For more information see README.pop preprocessor pop: \ ports { 110 } \ b64_decode_depth 0 \ qp_decode_depth 0 \ bitenc_decode_depth 0 \ uu_decode_depth 0 # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/white_list.rules The Sourcefire VRT has added and modified multiple rules in the backdoor,blacklist, botnet-cnc, netbios, policy, smtp, specific-threats, spyware-put, sql and web-misc rule sets to provide coverage for emerging threats from these technologies.-- To unsubscribe from this group, send email to snortsigs+unsubscribe () googlegroups com Please visit http://blog.snort.org for the latest news about Snort!-- To unsubscribe from this group, send email to snortsigs+unsubscribe () googlegroups com Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- VRT Rule Update for 08/23/2011: A Special Note about this release. Joel Esler (Aug 23)
- Re: [Snort-Sigs] VRT Rule Update for 08/23/2011: A Special Note about this release. Miguel Alvarez (Aug 24)
- Re: [Snort-Sigs] VRT Rule Update for 08/23/2011: A Special Note about this release. Joel Esler (Aug 24)
- Re: VRT Rule Update for 08/23/2011: A Special Note about this release. Eoin Miller (Aug 24)
- Re: VRT Rule Update for 08/23/2011: A Special Note about this release. Joel Esler (Aug 24)
- Re: [Snort-Sigs] VRT Rule Update for 08/23/2011: A Special Note about this release. Miguel Alvarez (Aug 24)