[Snort-users] [Snort-Sigs] Changes made to the Snort.conf

Miguel Alvarez miguellvrz9 at ...11827...
Wed Dec 28 12:24:13 EST 2011


Hi Joel,

On Wed, Dec 28, 2011 at 4:11 PM, Joel Esler <jesler at ...1935...> wrote:
> In an effort to better inform the community of changes to the snort.conf
> file, for some time I've been placing the changes on the blog
> (http://blog.snort.org), however, when we add something to the snort.conf
> that could potentially break installations that I know of, I'll try and
> remind you on the mailing list as well.  Please read the blog for all the
> current information however.  It will ALWAYS be there.
>
> The following changes were made to the snort.conf recently, we suggest you
> use the most current snort.conf from the VRT tarball to upgrade, or use the
> snort.conf configuration download page found here: Snort.conf configuration
> page.
>
> Added a variable for GTP_PORTS
>
> # List of GTP ports for GTP preprocessor
> portvar GTP_PORTS [2123,2152,3386]
>
> Changed the rule path for the IP reputation preprocessor, you should modify
> this in your environment:
>
> var WHITE_LIST_PATH /etc/snort/rules
> var BLACK_LIST_PATH /etc/snort/rules

I noticed that the current 292 snort.conf at
http://labs.snort.org/snort/2920/snort.conf doesn't have the
reputation preprocessor stanza.  2.9.1.2
http://labs.snort.org/snort/2912/snort.conf has this:

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/black_list.rules

I know the rule path has changed, but is the rest now obsolete?

> Added a configure line for the GTP preprocessor (v2.9.2.0), off by default.
>
> # config enable_gtp
>
> Added some new http_methods to the http inspect preprocessor (v2.9.2.0):
>
> http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL
> BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT
> SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH
> RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA
> RPC_OUT_DATA RPC_ECHO_DATA }
>
> Enabled javascript normalization by default in the http inspect
> preprocessor:
>
> normalize_javascript
>
> Added configurations for the modbus and dnp3 preprocessors:
>
> # Modbus preprocessor. For more information see README.modbus
> preprocessor modbus: ports { 502 }
>
> # DNP3 preprocessor. For more information see README.dnp3
> preprocessor dnp3: ports { 20000 } \
> memcap 262144 \
> check_crc
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> --
> To unsubscribe from this group, send email to
> snortsigs+unsubscribe at ...14071...
>
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-users mailing list