Now that the Snort 2.8.4 RC-1 has been released, we at the VRT have been busy putting together a special rules file for use with this version of Snort and the new dcerpc pre-processor. We would like your assistance in testing this ruleset, the new version of Snort and the dcerpc pre-processor.
The rules file is intended to replace the regular netbios.rules file normally used with the old version of the pre-processor and prior versions of Snort. There are a couple of things to keep in mind with this release:
- This is a Release Candidate and as such is not yet recommended for production environments.
- The new dcerpc2 pre-processor MUST be used for these rules to work
- These rules WILL NOT work with prior versions of Snort or the older pre-processor
All false positive/negative reports with these rules can be sent directly to the Sourcefire VRT, vrt at sourcefire.com.
Before submitting a report, please read this:
http://www.snort.org/vrt/falsepos.html
The ruleset to be used with Snort 2.8.4 RC-1 is available here:
http://www.snort.org/vrt/tools/dcerpc2-snort-2.8.4-RC-1.rules
Instructions for using the rules and configuration of the dcerpc2 pre-processor is available here:
http://www.snort.org/vrt/tools/using-dcerpc2.html
Additionally, the README.dcerpc2 file that did not ship with Snort 2.8.4 RC-1 is available here: