Wednesday, December 28, 2011

VRT Rule Update for 12/27/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 11 new rules and made modifications to 4 additional rules.

The following changes were made to the snort.conf in this release, we suggest you use the most current snort.conf from the VRT tarball to upgrade, or use the snort.conf configuration download page found here: Snort.conf configuration page

Added a variable for GTP_PORTS

# List of GTP ports for GTP preprocessor
portvar GTP_PORTS [2123,2152,3386]


Changed the rule path for the IP reputation preprocessor, you should modify this in your environment:

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules


Added a configure line for the GTP preprocessor (v2.9.2.0), off by default.

# config enable_gtp


Added some new http_methods to the http inspect preprocessor (v2.9.2.0):

http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA }


Enabled javascript normalization by default in the http inspect preprocessor:

normalize_javascript


Added configurations for the modbus and dnp3 preprocessors:

# Modbus preprocessor. For more information see README.modbus
preprocessor modbus: ports { 502 }

# DNP3 preprocessor. For more information see README.dnp3
preprocessor dnp3: ports { 20000 } \
memcap 262144 \
check_crc



In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the smtp,
specific-threats and web-client rule sets to provide coverage for
emerging threats from these technologies.
This release also provides coverage for a new FreeBSD telnetd overflow, this can be found in sids: 20812 and 20813.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!