Snort mailing list archives
Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 24 Jul 2012 17:33:47 -0400
The files that are included in the tarball (sid-msg.map and snort.conf namely) are there to give people a running start with getting Snort up and running. We try and keep things to a minimum if all you want to do is get things going. We have some work to do in this area yet, but we're working on it. That being said. First, The snort.conf that you should use is the snort.conf that comes in the VRT tarball. That snort.conf is the same snort.conf that I put on the labs.snort.org website when it changes: http://www.snort.org/vrt/snort-conf-configurations/ If you Search any engine for "snort.conf examples" or the like, that hit is first. The sig-msg.map is also updated in the Snort tarball every release, but you truly should generate your own sid-msg.map, so it includes the sids of any custom rules you may have written. PulledPork does this for you. Second, We distribute one type of ruleset. The VRT ruleset. How soon you have access to the updates is what you are paying the subscriber fee for. We publish a rule tarball to subscribers, and on the backend, 30 days later, that same exact file rolls over to the registered users. It's the same ruleset, we don't put out "Pro rules and free rules" as some people tend to think. We put out the same rule pack to everyone, and it's totally free if you are willing to wait the 30 days. If you want the rules right now, that's the subscription fee you pay for. d PulledPork doesn't read the snort.conf to determine which rule files to include in it's master snort.rules file. It read the rule files themselves. That's why we recommend so heavily that you use it, as we are going through the rule recategorization. (http://blog.snort.org/2012/03/rule-category-reorganization.html ) So it doesn't matter which snort.conf you are using (using what you were saying), pulledpork takes care of it for you. (and a ton of other things like flowbit resolution (http://blog.snort.org/2012/01/importance-of-pulledpork.html and shared object rules (if you use those)). For those of you still using Oinkmaster, I suggest you move on. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jul 24, 2012, at 5:21 PM, "Michael Steele" <michaels () winsnort com> wrote:
What happens if for some reason one or more of the .rule files are missing from a new rule tarball update that PP is merging into an active IDS, or IPS? In my case I was using the snort.conf that came with 2.9.3.0, which omitted a bunch of .rules in the snort.conf, and there were typos. Now I’m advised to only use the snort.conf from the web URL that was posted. This most likely confused the heck out of most new users. Between the VRT rules, the Registered users rules, and the snort tarball there are multiple duplicated files and folders. Kindest regards, Michael... From: JJC [mailto:cummingsj () gmail com] Sent: Tuesday, July 24, 2012 11:56 AM To: Joel Esler Cc: Jamie Riden; Michael Steele; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf In addition to that, this is one of the big benefits of using pulledpork and having a single rules file, they all get shoved in there! JJC On Fri, Jul 20, 2012 at 10:06 AM, Joel Esler <jesler () sourcefire com> wrote: Nigel makes the world go round. ;) On Jul 20, 2012, at 12:05 PM, Jamie Riden <jamie.riden () gmail com> wrote:I assume he's "Manager of Awesome" for a reason :) On 20 July 2012 16:40, Joel Esler <jesler () sourcefire com> wrote:Ah, Nigel must have put them up there for me. Thanks to Nigel! -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jul 20, 2012, at 11:36 AM, "Weir, Jason" <jason.weir () nhrs org> wrote: Looks like its already there http://labs.snort.org/snort/2930/snort.2930.conf -J From: Joel Esler [mailto:jesler () sourcefire com] Sent: Friday, July 20, 2012 11:20 AM To: Michael Steele Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf The 2.9.3.0 snort.conf is almost exactly the same (except for the version number at the top of the snort.conf) as the 2.9.2.3 conf. As always, you shouldn't use the snort.conf that ships in the tarball, you should use the snort.confs here: http://www.snort.org/vrt/snort-conf-configurations/ I'll work on getting 2.9.3.0's up today. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jul 19, 2012, at 7:16 PM, Michael Steele <michaels () winsnort com> wrote: I noticed doing a diff of the 2.9.2.3 and 2.9.3.0 snort.conf that there are 11 groups of rules omitted from the include statement (see the missing ones below). Usually all the rule groups listed under Step 7 of the snort.conf are included in the rule tarball. I don't have access to the 2930 rule tarball so I'm not sure if those 11 groups have been pulled from the tarball? include $RULE_PATH/file-office.rules include $RULE_PATH/file-other.rules include $RULE_PATH/file-pdf.rules include $RULE_PATH/indicator-compromise.rules include $RULE_PATH/indicator-obfuscation.rules include $RULE_PATH/policy-multimedia.rules include $RULE_PATH/policy-other.rules include $RULE_PATH/policy-social.rules include $RULE_PATH/pua-p2p.rules include $RULE_PATH/pua-toolbars.rules include $RULE_PATH/server-mail.rules Also, is the below a clerical error in the snort.conf, or is that correct? Snort 2.9.2.3 -> preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted Snort 2.9.3 ---> preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no Kindest regards, Michael... ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.3.0 - Some groups of rules missing from snort.conf Michael Steele (Jul 19)
- Re: Snort 2.9.3.0 - Some groups of rules missing from snort.conf Joel Esler (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Weir, Jason (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Joel Esler (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Jamie Riden (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Joel Esler (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf JJC (Jul 24)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Michael Steele (Jul 24)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Joel Esler (Jul 24)
- Re: Snort 2.9.3.0 - Some groups of rules missing fromsnort.conf Weir, Jason (Jul 20)
- Re: Snort 2.9.3.0 - Some groups of rules missing from snort.conf Joel Esler (Jul 20)