Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf

[JJC <cummingsj () gmail com>]

In addition to that, this is one of the big benefits of using pulledpork
and having a single rules file, they all get shoved in there!

JJC

On Fri, Jul 20, 2012 at 10:06 AM, Joel Esler <jesler () sourcefire com> wrote:

> Nigel makes the world go round.
>
> ;)
>
> On Jul 20, 2012, at 12:05 PM, Jamie Riden <jamie.riden () gmail com> wrote:
>
> > I assume he's "Manager of Awesome" for a reason :)
> >
> > On 20 July 2012 16:40, Joel Esler <jesler () sourcefire com> wrote:
> > > Ah, Nigel must have put them up there for me.
> > >
> > > Thanks to Nigel!
> > >
> > > --
> > > Joel Esler
> > > Senior Research Engineer, VRT
> > > OpenSource Community Manager
> > > Sourcefire
> > >
> > > On Jul 20, 2012, at 11:36 AM, "Weir, Jason" <jason.weir () nhrs org>
> wrote:
> > > Looks like its already there
> > >
> > > http://labs.snort.org/snort/2930/snort.2930.conf
> > >
> > > -J
> > >
> > > From: Joel Esler [mailto:jesler () sourcefire com]
> > > Sent: Friday, July 20, 2012 11:20 AM
> > > To: Michael Steele
> > > Cc: snort-users () lists sourceforge net
> > > Subject: Re: [Snort-users] Snort 2.9.3.0 - Some groups of rules missing
> > > fromsnort.conf
> > >
> > > The 2.9.3.0 snort.conf is almost exactly the same (except for the
> version
> > > number at the top of the snort.conf) as the 2.9.2.3 conf.
> > >
> > > As always, you shouldn't use the snort.conf that ships in the tarball,
> you
> > > should use the snort.confs here:
> > > http://www.snort.org/vrt/snort-conf-configurations/
> > >
> > > I'll work on getting 2.9.3.0's up today.
> > >
> > > --
> > > Joel Esler
> > > Senior Research Engineer, VRT
> > > OpenSource Community Manager
> > > Sourcefire
> > >
> > > On Jul 19, 2012, at 7:16 PM, Michael Steele <michaels () winsnort com>
> wrote:
> > > I noticed doing a diff of the 2.9.2.3 and 2.9.3.0 snort.conf that there
> are
> > > 11 groups of rules omitted from the include statement (see the missing
> ones
> > > below). Usually all the rule groups listed under Step 7 of the
> snort.conf
> > > are included in the rule tarball.
> > >
> > > I don't have access to the 2930 rule tarball so I'm not sure if those 11
> > > groups have been pulled from the tarball?
> > >
> > > include $RULE_PATH/file-office.rules
> > > include $RULE_PATH/file-other.rules
> > > include $RULE_PATH/file-pdf.rules
> > > include $RULE_PATH/indicator-compromise.rules
> > > include $RULE_PATH/indicator-obfuscation.rules
> > > include $RULE_PATH/policy-multimedia.rules
> > > include $RULE_PATH/policy-other.rules
> > > include $RULE_PATH/policy-social.rules
> > > include $RULE_PATH/pua-p2p.rules
> > > include $RULE_PATH/pua-toolbars.rules
> > > include $RULE_PATH/server-mail.rules
> > >
> > >
> > > Also, is the below a clerical error in the snort.conf, or is that
> correct?
> > > Snort 2.9.2.3 -> preprocessor ftp_telnet: global inspection_type
> stateful
> > > encrypted_traffic no check_encrypted
> > >
> > > Snort 2.9.3 ---> preprocessor ftp_telnet: global inspection_type
> stateful
> > > encrypted_traffic no
> > >
> > > Kindest regards,
> > > Michael...
> ------------------------------------------------------------------------------
> > > Live Security Virtual Conference
> > > Exclusive live event will cover all the ways today's security and
> > > threat landscape has changed and how IT managers can respond.
> Discussions
> > > will include endpoint security, mobile security and the latest in
> malware
> > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > > news!
> ------------------------------------------------------------------------------
> > > Live Security Virtual Conference
> > > Exclusive live event will cover all the ways today's security and
> > > threat landscape has changed and how IT managers can respond.
> Discussions
> > > will include endpoint security, mobile security and the latest in
> malware
> > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > > news!
> >
> >
> >
> > --
> > Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
> > http://uk.linkedin.com/in/jamieriden
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!