Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-Sigs] Changes made to the Snort.conf

From: Joel Esler <joel.esler () me com>
Date: Thu, 29 Dec 2011 14:41:43 -0500
Miguel,

I'm looking into this and will get it fixed.

J

On Wed, Dec 28, 2011 at 12:24 PM, Miguel Alvarez <miguellvrz9 () gmail com>wrote:


Hi Joel,

On Wed, Dec 28, 2011 at 4:11 PM, Joel Esler <jesler () sourcefire com> wrote:

In an effort to better inform the community of changes to the snort.conf
file, for some time I've been placing the changes on the blog
(http://blog.snort.org), however, when we add something to the

snort.conf

that could potentially break installations that I know of, I'll try and
remind you on the mailing list as well.  Please read the blog for all the
current information however.  It will ALWAYS be there.

The following changes were made to the snort.conf recently, we suggest

you

use the most current snort.conf from the VRT tarball to upgrade, or use

the

snort.conf configuration download page found here: Snort.conf

configuration

page.

Added a variable for GTP_PORTS

# List of GTP ports for GTP preprocessor
portvar GTP_PORTS [2123,2152,3386]

Changed the rule path for the IP reputation preprocessor, you should

modify

this in your environment:

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules


I noticed that the current 292 snort.conf at
http://labs.snort.org/snort/2920/snort.conf doesn't have the
reputation preprocessor stanza.  2.9.1.2
http://labs.snort.org/snort/2912/snort.conf has this:

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
  memcap 500, \
  priority whitelist, \
  nested_ip inner, \
  whitelist $WHITE_LIST_PATH/white_list.rules, \
  blacklist $BLACK_LIST_PATH/black_list.rules

I know the rule path has changed, but is the rest now obsolete?


Added a configure line for the GTP preprocessor (v2.9.2.0), off by

default.


# config enable_gtp

Added some new http_methods to the http inspect preprocessor (v2.9.2.0):

http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY

POLL

BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT
SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH
RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA
RPC_OUT_DATA RPC_ECHO_DATA }

Enabled javascript normalization by default in the http inspect
preprocessor:

normalize_javascript

Added configurations for the modbus and dnp3 preprocessors:

# Modbus preprocessor. For more information see README.modbus
preprocessor modbus: ports { 502 }

# DNP3 preprocessor. For more information see README.dnp3
preprocessor dnp3: ports { 20000 } \
memcap 262144 \
check_crc

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

--
To unsubscribe from this group, send email to
snortsigs+unsubscribe () googlegroups com


Please visit http://blog.snort.org for the latest news about Snort!


--
To unsubscribe from this group, send email to
snortsigs+unsubscribe () googlegroups com


Please visit http://blog.snort.org for the latest news about Snort!





-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: