Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf

[Jamie Riden <jamie.riden () gmail com>]

I assume he's "Manager of Awesome" for a reason :)

On 20 July 2012 16:40, Joel Esler <jesler () sourcefire com> wrote:
> Ah, Nigel must have put them up there for me.
>
> Thanks to Nigel!
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Jul 20, 2012, at 11:36 AM, "Weir, Jason" <jason.weir () nhrs org> wrote:
>
> Looks like its already there
>
> http://labs.snort.org/snort/2930/snort.2930.conf
>
> -J
>
> From: Joel Esler [mailto:jesler () sourcefire com]
> Sent: Friday, July 20, 2012 11:20 AM
> To: Michael Steele
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Snort 2.9.3.0 - Some groups of rules missing
> fromsnort.conf
>
> The 2.9.3.0 snort.conf is almost exactly the same (except for the version
> number at the top of the snort.conf) as the 2.9.2.3 conf.
>
> As always, you shouldn't use the snort.conf that ships in the tarball, you
> should use the snort.confs here:
> http://www.snort.org/vrt/snort-conf-configurations/
>
> I'll work on getting 2.9.3.0's up today.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Jul 19, 2012, at 7:16 PM, Michael Steele <michaels () winsnort com> wrote:
>
>
> I noticed doing a diff of the 2.9.2.3 and 2.9.3.0 snort.conf that there are
> 11 groups of rules omitted from the include statement (see the missing ones
> below). Usually all the rule groups listed under Step 7 of the snort.conf
> are included in the rule tarball.
>
> I don't have access to the 2930 rule tarball so I'm not sure if those 11
> groups have been pulled from the tarball?
>
> include $RULE_PATH/file-office.rules
> include $RULE_PATH/file-other.rules
> include $RULE_PATH/file-pdf.rules
> include $RULE_PATH/indicator-compromise.rules
> include $RULE_PATH/indicator-obfuscation.rules
> include $RULE_PATH/policy-multimedia.rules
> include $RULE_PATH/policy-other.rules
> include $RULE_PATH/policy-social.rules
> include $RULE_PATH/pua-p2p.rules
> include $RULE_PATH/pua-toolbars.rules
> include $RULE_PATH/server-mail.rules
>
>
> Also, is the below a clerical error in the snort.conf, or is that correct?
>
> Snort 2.9.2.3 -> preprocessor ftp_telnet: global inspection_type stateful
> encrypted_traffic no check_encrypted
>
> Snort 2.9.3 ---> preprocessor ftp_telnet: global inspection_type stateful
> encrypted_traffic no
>
> Kindest regards,
> Michael...
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!