Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Changes made to the Snort.conf

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 28 Dec 2011 10:11:21 -0500
In an effort to better inform the community of changes to the snort.conf file, for some time I've been placing the 
changes on the blog (http://blog.snort.org), however, when we add something to the snort.conf that could potentially 
break installations that I know of, I'll try and remind you on the mailing list as well.  Please read the blog for all 
the current information however.  It will ALWAYS be there.

The following changes were made to the snort.conf recently, we suggest you use the most current snort.conf from the VRT 
tarball to upgrade, or use the snort.conf configuration download page found here: Snort.conf configuration page.  

Added a variable for GTP_PORTS

# List of GTP ports for GTP preprocessor
portvar GTP_PORTS [2123,2152,3386]

Changed the rule path for the IP reputation preprocessor, you should modify this in your environment:

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Added a configure line for the GTP preprocessor (v2.9.2.0), off by default.

# config enable_gtp

Added some new http_methods to the http inspect preprocessor (v2.9.2.0):

http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD 
DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT 
PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA }

Enabled javascript normalization by default in the http inspect preprocessor:

normalize_javascript

Added configurations for the modbus and dnp3 preprocessors:

# Modbus preprocessor. For more information see README.modbus
preprocessor modbus: ports { 502 }

# DNP3 preprocessor. For more information see README.dnp3
preprocessor dnp3: ports { 20000 } \
memcap 262144 \
check_crc

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: