Tuesday, January 4, 2011

New Rule Pack and check your Snort.conf

In addition to alerting you to today's release of the VRT Rulepack, I thought I'd post a quick note about changes in the VRT snort.conf that have been in there for awhile that not a lot of people may have noticed. The changes were made in order to enable greater detection functionality and improve Snort's performance.

1. HTTP_PORTS (and the http_inspect preprocessor):
The HTTP_PORTS variable and the http_inspect preprocessor now include a lot more ports that the VRT has discovered for default applications to use as HTTP_PORTS. The variable reads:

portvar HTTP_PORTS [80,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8181,8243,8280,8888,9090,9091,9443,9999,11371]

2. SMB / DCE-RPCv2 preprocessor
The DCERPCv2 preprocessor was updated to include a list of default shares being accessed that should not be allowed. This list is ["C$", "D$", "ADMIN$"]. The configuration now appears like this:

preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]

The ORACLE_PORTS variable used to just include 1521. The default Oracle Port. After much research and pcap analysis it's been found that Oracle can occur many ports and there's a great need to cover those as well. The Oracle configuration line now reads like this:

portvar ORACLE_PORTS 1024:

4. SunRPC preprocessor
The SunRPC preprocessor was updated as well. It now includes more default ports for rpc decoding. The configuration now appears like this:

preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete

5. SSL Preprocessor
Finally, the SSL preprocessor has an updated configuration. It now includes more default ports for ssl processing, it has been configured to stop inspecting a flow once client and server key exchanges have taken place and all traffic is then encrypted. This helps in the efficiency of the engine by alleviating the need to inspect SSL encrypted traffic. The configuration now appears like this:

preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted

Hopefully most of you have been paying attention to the updates in the snort.conf file shipped with the VRT's rulepacks, if you haven't, this is a good opportunity to double check your configuration files to ensure you have the latest detection functionality.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Be sure and stay up to date to catch the most current threats!