Thursday, August 25, 2011

VRT Rule Update for 08/25/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 55 new rules and make modifications to 19 additional rules.

The registered users of Snort have emailed me and told me that they will not be able to access the snort.conf for 2.9.1 until the 30 day window is open.  This is correct, however, for registered users's convenience you may access the 2.9.1 snort.conf here:
http://www.snort.org/assets/184/snort.conf

The following changes have been made to the snort.conf in this release:

Modifications to HTTP_PORTS

portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]


Modifications to Stream5 configuration:

ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802 7777 7779 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555


Modifications to http_inspect

ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 }


Increase to the Max sessions in the SIP preprocessor

preprocessor sip: max_sessions 40000


Increase to the max_content_len parameter in the SIP preprocessor

max_content_len 2048


Modifications to the file names in the IP Blacklist Preprocessor

preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc, dos, exploit, netbios, rpc, specific-threats, spyware-put and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!