[Snort-users] Snort Upgrade

Jefferson, Shawn Shawn.Jefferson at ...14448...
Wed Apr 8 14:10:54 EDT 2009

Just upgraded, tested with -T and it seemed to work.  I also needed to comment out the line to load the old pre-processor and added one to load the new one (dce2 I'm assuming).

-----Original Message-----
From: Matt Watchinski [mailto:mwatchinski at ...1935...] 
Sent: April 08, 2009 10:40 AM
To: Jefferson, Shawn
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Upgrade

You'll need to add something like the following to your snort.conf for
2.8.4 and the new dcerpcv2

preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
preprocessor dcerpc2_server: default, policy WinXP, \
detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
smb_max_chain 3

and remove the old preprocessor dcerpc statements.


On Wed, Apr 8, 2009 at 1:34 PM, Jefferson, Shawn
<Shawn.Jefferson at ...14448...> wrote:
> Hi,
> I'm about to do the snort upgrade (just waiting for a clone of my machine to
> finish).  Do we need to manually add anything to our existing snort.conf
> file to have the new dcperc pre-processor work?  Or anything else for that
> matter?
> Thanks,
> Shawn
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

More information about the Snort-users mailing list