Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Clarification about Snort configuration files

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 7 Mar 2016 11:16:19 +0000
Ill double check and update the ones on the website.

--
Joel Esler
iPhone

On Mar 7, 2016, at 3:15 AM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote:


Hello,

I am trying to standardize which configuration files versions to use. This has been mentioned before in the list, 
however, it did not discuss the various configurations files as far as I recall. Here is what I came with so far:

1. snort.conf exists in the following locations:

    - snort-2.9.8.0/etc/snort.conf (Snort source tarball)
    - snortrules-snapshot-2980/etc/snort.conf (Snort rules tarball)
    - Configuration Examples at: https://www.snort.org/documents/snort-2980-conf

    A diff among the 3 files, it seems that snort.conf in the Snort rules tarball is the latest. This makes sense as 
the configurations may get updated during a rules release cycle.

2. classification.config exists in the following locations:

    - snort-2.9.8.0/etc/classification.config
    - snortrules-snapshot-2980/etc/classification.config
    - Configuration Examples at: https://www.snort.org/documents/classification-config

    classification.config contents are equal among the three files. Only difference is that classification.config in 
Snort rules tarball follows Capitalize Each Word for readability. The classification.config in Snort rules tarball and 
the one downloaded from
    the example configurations are equal and even have the same hash.

3. gen-msg.map exists in the following locations:

    - snort-2.9.8.0/etc/gen-msg.map
    - Configuration Examples at: https://www.snort.org/documents/gen-msg-map

    This one is tricky. The gen-msg.map in source tarball (snort-2.9.8.0/etc/gen-msg.map) has more GIDs/SIDs for 
example GID 120, SID 12-18, however, the latest rules release do not seem to contain rules for such GIDs/SIDs.

4. reference.config exists in the following locations:

    - snort-2.9.8.0/etc/reference.config
    - snortrules-snapshot-2980/etc/reference.config
    - Configuration Examples at: https://www.snort.org/documents/reference-config

    No difference between the file in snortrules-snapshot-2980/etc/reference.config and the one downloaded from 
Configuration Examples downloaded. However, both differ from the one in snort-2.9.8.0/etc/reference.config, though, the 
difference is       minor and should not
    affect functionality.
diff --git a/snort-2.9.8.0/etc/reference.config b/reference-config
index a499bb3..7d9cef3 100644
--- a/snort-2.9.8.0/etc/reference.config
+++ b/reference-config
@@ -1,4 +1,4 @@
-# $Id$
+# $Id: reference.config,v 1.3 2012/03/23 20:25:04 nhoughton Exp $
5. unicode.map exists in the following locations:

    - snort-2.9.8.0/etc/unicode.map
    - snortrules-snapshot-2980/etc/unicode.map

    The file in snort-2.9.8.0/etc/unicode.map seems to be the recent one for two reasons (guessing): 1) It contains 
additional unicode maps 2) the "Windows Version" at the top of the file is higher and matches with Windows 7 SP1 
(5.00.2195 vs.                   6.01.7601).


6. In the case of threshold.conf, it does not really matter since the entire contents are commented out.

To summarize:

- snort.conf: use the one in snortrules-snapshot-2980/etc/
- classification.conf: use any of the available files, but probably it is better to choose one and stick to it, may be 
the one in  snortrules-snapshot-2980/etc/
- gen-msg.map: Probably the one from the Configuration Examples:  https://www.snort.org/documents/gen-msg-map
- reference.config: use any of the available files, but probably it is better to choose one and stick to it, may be the 
one in  snortrules-snapshot-2980/etc/
- unicode.map: Probably  use the one in snort-2.9.8.0/etc/

Can anyone please comment on the above and correct any assumptions, may be Joel?

Please note that the above information is based on the data available at the time of this writing.

Thanks.
YM



------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: