[Snort-users] [Snort-Sigs] VRT Rule Update for 08/23/2011: A Special Note about this release.

Joel Esler jesler at ...1935...
Wed Aug 24 14:40:12 EDT 2011


Yesterday's VRT Subscriber release does have the snort.conf in it.

Tomorrow's release will have it as well with some minor updates.

Joel

On Wed, Aug 24, 2011 at 2:03 PM, Miguel Alvarez <miguellvrz9 at ...11827...>wrote:

> Thank you, Joel.
>
> Is there a snort.conf that contains all of these updates?  It doesn't
> look as if those bundled with either yesterday's VRT release or the
> 2.9.1 tarball do.
>
> Thank you very much!
>
> On Tue, Aug 23, 2011 at 2:34 PM, Joel Esler <jesler at ...1935...> wrote:
> > Snort Community --
> >
> > Join us as we welcome the introduction of the newest rule release for
> today from the VRT. In this release we introduce 57 new rules and make
> modifications to 153 additional rules.
> >
> > This rule package also includes support for the 2.9.1.0 version.
> >
> > The following changes are made to the Snort.conf in this release, with so
> many changes we recommend rebuilding your snort.conf with a 2.9.1.0
> template:
> >
> > Updated HTTP_PORTS variable:
> > portvar HTTP_PORTS
> [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]
> >
> > New SIP_PORTS variable
> > portvar SIP_PORTS [5060,5061,5600]
> >
> > New IP Blacklist variables:
> > var WHITE_LIST_PATH rules/
> > var BLACK_LIST_PATH rules/
> >
> > New PAF configuration line (VERY IMPORTANT!)
> > config paf_max: 16000
> >
> > Updated stream5 configuration:
> > ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220
> 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802 7777
> 7779 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243
> 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555
> >
> > Updated HTTP_INSPECT configuration lines:
> > http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
> POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT
> SOURCE }
> > and
> > ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702
> 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123
> 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 }
> >
> > Updated SMTP preprocessor configuration lines:
> > b64_decode_depth 0 \
> > qp_decode_depth 0 \
> > bitenc_decode_depth 0 \
> > uu_decode_Depth 0 \
> > log_mailfrom \
> > log_rcptto \
> > log_filename \
> > log_email_hdrs
> >
> > Finally, new preprocessor configurations:
> >
> > # SIP Session Initiation Protocol preprocessor. For more information see
> README.sip
> > preprocessor sip: max_sessions 40000, \
> > ports { 5060 5061 5600 }, \
> > methods { invite \
> > cancel \
> > ack \
> > bye \
> > register \
> > options \
> > refer \
> > subscribe \
> > update \
> > join \
> > info \
> > message \
> > notify \
> > benotify \
> > do \
> > qauth \
> > sprack \
> > publish \
> > service \
> > unsubscribe \
> > prack }, \
> > max_uri_len 512, \
> > max_call_id_len 80, \
> > max_requestName_len 20, \
> > max_from_len 256, \
> > max_to_len 256, \
> > max_via_len 1024, \
> > max_contact_len 512, \
> > max_content_len 2048
> >
> > # IMAP preprocessor. For more information see README.imap
> > preprocessor imap: \
> > ports { 143 } \
> > b64_decode_depth 0 \
> > qp_decode_depth 0 \
> > bitenc_decode_depth 0 \
> > uu_decode_depth 0
> >
> > # POP preprocessor. For more information see README.pop
> > preprocessor pop: \
> > ports { 110 } \
> > b64_decode_depth 0 \
> > qp_decode_depth 0 \
> > bitenc_decode_depth 0 \
> > uu_decode_depth 0
> >
> > # Reputation preprocessor. For more information see README.reputation
> > preprocessor reputation: \
> > memcap 500, \
> > priority whitelist, \
> > nested_ip inner, \
> > whitelist $WHITE_LIST_PATH/white_list.rules, \
> > blacklist $BLACK_LIST_PATH/white_list.rules
> >
> >
> > The Sourcefire VRT has added and modified multiple rules in the backdoor,
> blacklist, botnet-cnc, netbios, policy, smtp, specific-threats, spyware-put,
> sql and web-misc rule sets to provide coverage for emerging threats from
> these technologies.
> >
> > --
> > To unsubscribe from this group, send email to
> > snortsigs+unsubscribe at ...14071...
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
>
> --
> To unsubscribe from this group, send email to
> snortsigs+unsubscribe at ...14071...
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110824/b94be36c/attachment.html>


More information about the Snort-users mailing list