Snort mailing list archives

Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 24 Jul 2012 17:33:47 -0400

The files that are included in the tarball (sid-msg.map and snort.conf namely) are there to give people a running start
with getting Snort up and running. We try and keep things to a minimum if all you want to do is get things going. We
have some work to do in this area yet, but we're working on it.

That being said.

First,
The snort.conf that you should use is the snort.conf that comes in the VRT tarball. That snort.conf is the same
snort.conf that I put on the labs.snort.org website when it changes:
http://www.snort.org/vrt/snort-conf-configurations/

If you Search any engine for "snort.conf examples" or the like, that hit is first. The sig-msg.map is also updated in
the Snort tarball every release, but you truly should generate your own sid-msg.map, so it includes the sids of any
custom rules you may have written. PulledPork does this for you.

Second,
We distribute one type of ruleset. The VRT ruleset. How soon you have access to the updates is what you are paying
the subscriber fee for. We publish a rule tarball to subscribers, and on the backend, 30 days later, that same exact
file rolls over to the registered users. It's the same ruleset, we don't put out "Pro rules and free rules" as some
people tend to think. We put out the same rule pack to everyone, and it's totally free if you are willing to wait the
30 days. If you want the rules right now, that's the subscription fee you pay for.
d
PulledPork doesn't read the snort.conf to determine which rule files to include in it's master snort.rules file. It
read the rule files themselves. That's why we recommend so heavily that you use it, as we are going through the rule
recategorization. (http://blog.snort.org/2012/03/rule-category-reorganization.html ) So it doesn't matter which
snort.conf you are using (using what you were saying), pulledpork takes care of it for you. (and a ton of other things
like flowbit resolution (http://blog.snort.org/2012/01/importance-of-pulledpork.html and shared object rules (if you
use those)).

For those of you still using Oinkmaster, I suggest you move on.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jul 24, 2012, at 5:21 PM, "Michael Steele" <michaels () winsnort com> wrote:

What happens if for some reason one or more of the .rule files are missing from a new rule tarball update that PP is 
merging into an active IDS, or IPS?
 
In my case I was using the snort.conf that came with 2.9.3.0, which omitted a bunch of .rules in the snort.conf, and 
there were typos. Now I’m advised to only use the snort.conf from the web  URL that was posted.
 
This most likely confused the heck out of most new users. Between the VRT rules, the Registered users rules, and the 
snort tarball there are multiple duplicated files and folders.
 
Kindest regards,
Michael...
 
 
From: JJC [mailto:cummingsj () gmail com] 
Sent: Tuesday, July 24, 2012 11:56 AM
To: Joel Esler
Cc: Jamie Riden; Michael Steele; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf
 
In addition to that, this is one of the big benefits of using pulledpork and having a single rules file, they all get 
shoved in there!
 
JJC

On Fri, Jul 20, 2012 at 10:06 AM, Joel Esler <jesler () sourcefire com> wrote:
Nigel makes the world go round.

;)

On Jul 20, 2012, at 12:05 PM, Jamie Riden <jamie.riden () gmail com> wrote:

I assume he's "Manager of Awesome" for a reason :)

On 20 July 2012 16:40, Joel Esler <jesler () sourcefire com> wrote:

Ah, Nigel must have put them up there for me.

Thanks to Nigel!

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jul 20, 2012, at 11:36 AM, "Weir, Jason" <jason.weir () nhrs org> wrote:

Looks like its already there

http://labs.snort.org/snort/2930/snort.2930.conf

-J

From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Friday, July 20, 2012 11:20 AM
To: Michael Steele
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 2.9.3.0 - Some groups of rules missing
fromsnort.conf

The 2.9.3.0 snort.conf is almost exactly the same (except for the version
number at the top of the snort.conf) as the 2.9.2.3 conf.

As always, you shouldn't use the snort.conf that ships in the tarball, you
should use the snort.confs here:
http://www.snort.org/vrt/snort-conf-configurations/

I'll work on getting 2.9.3.0's up today.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jul 19, 2012, at 7:16 PM, Michael Steele <michaels () winsnort com> wrote:


I noticed doing a diff of the 2.9.2.3 and 2.9.3.0 snort.conf that there are
11 groups of rules omitted from the include statement (see the missing ones
below). Usually all the rule groups listed under Step 7 of the snort.conf
are included in the rule tarball.

I don't have access to the 2930 rule tarball so I'm not sure if those 11
groups have been pulled from the tarball?

include $RULE_PATH/file-office.rules
include $RULE_PATH/file-other.rules
include $RULE_PATH/file-pdf.rules
include $RULE_PATH/indicator-compromise.rules
include $RULE_PATH/indicator-obfuscation.rules
include $RULE_PATH/policy-multimedia.rules
include $RULE_PATH/policy-other.rules
include $RULE_PATH/policy-social.rules
include $RULE_PATH/pua-p2p.rules
include $RULE_PATH/pua-toolbars.rules
include $RULE_PATH/server-mail.rules


Also, is the below a clerical error in the snort.conf, or is that correct?

Snort 2.9.2.3 -> preprocessor ftp_telnet: global inspection_type stateful
encrypted_traffic no check_encrypted

Snort 2.9.3 ---> preprocessor ftp_telnet: global inspection_type stateful
encrypted_traffic no

Kindest regards,
Michael...


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!




--
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort 2.9.3.0 - Some groups of rules missing from snort.conf Michael Steele (Jul 19)
- Re: Snort 2.9.3.0 - Some groups of rules missing from snort.conf Joel Esler (Jul 20)
  - Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Weir, Jason (Jul 20)
    - Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Joel Esler (Jul 20)
    - Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Jamie Riden (Jul 20)
    - Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Joel Esler (Jul 20)
    - Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf JJC (Jul 24)
    - Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Michael Steele (Jul 24)
    - Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Joel Esler (Jul 24)