Snort mailing list archives
Re: [Snort-Sigs] Changes made to the Snort.conf
From: Joel Esler <joel.esler () me com>
Date: Thu, 29 Dec 2011 14:41:43 -0500
Miguel, I'm looking into this and will get it fixed. J On Wed, Dec 28, 2011 at 12:24 PM, Miguel Alvarez <miguellvrz9 () gmail com>wrote:
Hi Joel, On Wed, Dec 28, 2011 at 4:11 PM, Joel Esler <jesler () sourcefire com> wrote:In an effort to better inform the community of changes to the snort.conf file, for some time I've been placing the changes on the blog (http://blog.snort.org), however, when we add something to thesnort.confthat could potentially break installations that I know of, I'll try and remind you on the mailing list as well. Please read the blog for all the current information however. It will ALWAYS be there. The following changes were made to the snort.conf recently, we suggestyouuse the most current snort.conf from the VRT tarball to upgrade, or usethesnort.conf configuration download page found here: Snort.confconfigurationpage. Added a variable for GTP_PORTS # List of GTP ports for GTP preprocessor portvar GTP_PORTS [2123,2152,3386] Changed the rule path for the IP reputation preprocessor, you shouldmodifythis in your environment: var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rulesI noticed that the current 292 snort.conf at http://labs.snort.org/snort/2920/snort.conf doesn't have the reputation preprocessor stanza. 2.9.1.2 http://labs.snort.org/snort/2912/snort.conf has this: # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/black_list.rules I know the rule path has changed, but is the rest now obsolete?Added a configure line for the GTP preprocessor (v2.9.2.0), off bydefault.# config enable_gtp Added some new http_methods to the http inspect preprocessor (v2.9.2.0): http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFYPOLLBCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } Enabled javascript normalization by default in the http inspect preprocessor: normalize_javascript Added configurations for the modbus and dnp3 preprocessors: # Modbus preprocessor. For more information see README.modbus preprocessor modbus: ports { 502 } # DNP3 preprocessor. For more information see README.dnp3 preprocessor dnp3: ports { 20000 } \ memcap 262144 \ check_crc -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire -- To unsubscribe from this group, send email to snortsigs+unsubscribe () googlegroups com Please visit http://blog.snort.org for the latest news about Snort!-- To unsubscribe from this group, send email to snortsigs+unsubscribe () googlegroups com Please visit http://blog.snort.org for the latest news about Snort!
-- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort
------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Changes made to the Snort.conf Joel Esler (Dec 28)
- Re: [Snort-Sigs] Changes made to the Snort.conf Miguel Alvarez (Dec 28)
- Re: [Snort-Sigs] Changes made to the Snort.conf Joel Esler (Dec 29)
- Re: [Snort-Sigs] Changes made to the Snort.conf Miguel Alvarez (Dec 28)