Snort mailing list archives
Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf
From: "Michael Steele" <michaels () winsnort com>
Date: Tue, 24 Jul 2012 17:21:17 -0400
What happens if for some reason one or more of the .rule files are missing from a new rule tarball update that PP is merging into an active IDS, or IPS? In my case I was using the snort.conf that came with 2.9.3.0, which omitted a bunch of .rules in the snort.conf, and there were typos. Now I'm advised to only use the snort.conf from the web URL that was posted. This most likely confused the heck out of most new users. Between the VRT rules, the Registered users rules, and the snort tarball there are multiple duplicated files and folders. Kindest regards, Michael... From: JJC [mailto:cummingsj () gmail com] Sent: Tuesday, July 24, 2012 11:56 AM To: Joel Esler Cc: Jamie Riden; Michael Steele; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf In addition to that, this is one of the big benefits of using pulledpork and having a single rules file, they all get shoved in there! JJC On Fri, Jul 20, 2012 at 10:06 AM, Joel Esler <jesler () sourcefire com> wrote: Nigel makes the world go round. ;) On Jul 20, 2012, at 12:05 PM, Jamie Riden <jamie.riden () gmail com> wrote:
I assume he's "Manager of Awesome" for a reason :) On 20 July 2012 16:40, Joel Esler <jesler () sourcefire com> wrote:Ah, Nigel must have put them up there for me. Thanks to Nigel! -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jul 20, 2012, at 11:36 AM, "Weir, Jason" <jason.weir () nhrs org> wrote: Looks like its already there http://labs.snort.org/snort/2930/snort.2930.conf -J From: Joel Esler [mailto:jesler () sourcefire com] Sent: Friday, July 20, 2012 11:20 AM To: Michael Steele Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf The 2.9.3.0 snort.conf is almost exactly the same (except for the version number at the top of the snort.conf) as the 2.9.2.3 conf. As always, you shouldn't use the snort.conf that ships in the tarball,
you
should use the snort.confs here: http://www.snort.org/vrt/snort-conf-configurations/ I'll work on getting 2.9.3.0's up today. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jul 19, 2012, at 7:16 PM, Michael Steele <michaels () winsnort com>
wrote:
I noticed doing a diff of the 2.9.2.3 and 2.9.3.0 snort.conf that there
are
11 groups of rules omitted from the include statement (see the missing
ones
below). Usually all the rule groups listed under Step 7 of the snort.conf are included in the rule tarball. I don't have access to the 2930 rule tarball so I'm not sure if those 11 groups have been pulled from the tarball? include $RULE_PATH/file-office.rules include $RULE_PATH/file-other.rules include $RULE_PATH/file-pdf.rules include $RULE_PATH/indicator-compromise.rules include $RULE_PATH/indicator-obfuscation.rules include $RULE_PATH/policy-multimedia.rules include $RULE_PATH/policy-other.rules include $RULE_PATH/policy-social.rules include $RULE_PATH/pua-p2p.rules include $RULE_PATH/pua-toolbars.rules include $RULE_PATH/server-mail.rules Also, is the below a clerical error in the snort.conf, or is that
correct?
Snort 2.9.2.3 -> preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted Snort 2.9.3 ---> preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no Kindest regards, Michael...
---------------------------------------------------------------------------- --
Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest
Snort
news!
---------------------------------------------------------------------------- --
Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest
Snort
news!-- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden
---------------------------------------------------------------------------- -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.3.0 - Some groups of rules missing from snort.conf Michael Steele (Jul 19)
- Re: Snort 2.9.3.0 - Some groups of rules missing from snort.conf Joel Esler (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Weir, Jason (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Joel Esler (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Jamie Riden (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Joel Esler (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf JJC (Jul 24)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Michael Steele (Jul 24)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Joel Esler (Jul 24)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Weir, Jason (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing from snort.conf Joel Esler (Jul 20)