[Snort-users] [Snort-Sigs] Changes made to the Snort.conf

Joel Esler joel.esler at ...14399...
Thu Dec 29 14:41:43 EST 2011


Miguel,

I'm looking into this and will get it fixed.

J

On Wed, Dec 28, 2011 at 12:24 PM, Miguel Alvarez <miguellvrz9 at ...11827...>wrote:

> Hi Joel,
>
> On Wed, Dec 28, 2011 at 4:11 PM, Joel Esler <jesler at ...1935...> wrote:
> > In an effort to better inform the community of changes to the snort.conf
> > file, for some time I've been placing the changes on the blog
> > (http://blog.snort.org), however, when we add something to the
> snort.conf
> > that could potentially break installations that I know of, I'll try and
> > remind you on the mailing list as well.  Please read the blog for all the
> > current information however.  It will ALWAYS be there.
> >
> > The following changes were made to the snort.conf recently, we suggest
> you
> > use the most current snort.conf from the VRT tarball to upgrade, or use
> the
> > snort.conf configuration download page found here: Snort.conf
> configuration
> > page.
> >
> > Added a variable for GTP_PORTS
> >
> > # List of GTP ports for GTP preprocessor
> > portvar GTP_PORTS [2123,2152,3386]
> >
> > Changed the rule path for the IP reputation preprocessor, you should
> modify
> > this in your environment:
> >
> > var WHITE_LIST_PATH /etc/snort/rules
> > var BLACK_LIST_PATH /etc/snort/rules
>
> I noticed that the current 292 snort.conf at
> http://labs.snort.org/snort/2920/snort.conf doesn't have the
> reputation preprocessor stanza.  2.9.1.2
> http://labs.snort.org/snort/2912/snort.conf has this:
>
> # Reputation preprocessor. For more information see README.reputation
> preprocessor reputation: \
>   memcap 500, \
>   priority whitelist, \
>   nested_ip inner, \
>   whitelist $WHITE_LIST_PATH/white_list.rules, \
>   blacklist $BLACK_LIST_PATH/black_list.rules
>
> I know the rule path has changed, but is the rest now obsolete?
>
> > Added a configure line for the GTP preprocessor (v2.9.2.0), off by
> default.
> >
> > # config enable_gtp
> >
> > Added some new http_methods to the http inspect preprocessor (v2.9.2.0):
> >
> > http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
> POLL
> > BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT
> > SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH
> > RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA
> > RPC_OUT_DATA RPC_ECHO_DATA }
> >
> > Enabled javascript normalization by default in the http inspect
> > preprocessor:
> >
> > normalize_javascript
> >
> > Added configurations for the modbus and dnp3 preprocessors:
> >
> > # Modbus preprocessor. For more information see README.modbus
> > preprocessor modbus: ports { 502 }
> >
> > # DNP3 preprocessor. For more information see README.dnp3
> > preprocessor dnp3: ports { 20000 } \
> > memcap 262144 \
> > check_crc
> >
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
> >
> > --
> > To unsubscribe from this group, send email to
> > snortsigs+unsubscribe at ...14071...
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> --
> To unsubscribe from this group, send email to
> snortsigs+unsubscribe at ...14071...
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111229/bb11901a/attachment.html>


More information about the Snort-users mailing list