Back in February, I wrote about having to upgrade Snort pretty soon. Well, the time is upon us. This week, we will be releasing Snort 2.8.4. When this happens, the only way to stay current with detection for anything DCERPC related will be to upgrade Snort. We will not be releasing detection that does not use the new dcerpc2 preprocessor.
Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.
What this means is, the only version of Snort that will get new rules for anything DCERPC related will be 2.8.4. There will be nothing released that is backwards compatible. It is not possible to do so. On the upside though, the number of rules that will be needed in the NetBIOS category will be reduced greatly. This will make rule management a lot easier. Previously, a lot of detection and decoding was being done with the rules themselves, with the new preprocessor this is no longer necessary. Thus the huge reduction in rules and increase in simplicity of the rules themselves.
Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.
I also wrote a post about the new ruleset available for dcerpc2. We posted a new ruleset for dcerpc2, instructions for using the new preprocessor and the README file for it too.
Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.
Keep an eye on the mailing lists, snort.org and this space. Release is imminent.
Monday, April 6, 2009
Subscribe to:
Post Comments (Atom)
YOU NEED TO UPGRADE TO 2.8.4 -- SERIOUSLY
ReplyDeleteA post comparing common snort.conf options for DCERPC in 2.8.3.x versus common or recommended options in DCERPC2 for 2.8.4 would be neat. Although you posted the link to the README.dcerpc2 here, 2.8.4rc1 still appears to only have the README for the old DCERPC preprocessor.
ReplyDeleteThe default recommended configuration will be the following:
ReplyDeletepreprocessor dcerpc2: memcap 102400, events [smb, co, cl]
preprocessor dcerpc2_server: default, policy WinXP, \
detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
smb_max_chain 3
This will be in the sample snort.conf in the /etc directory of all the rule-snapshots for 2.8. IE the packages you download from snort.org Rules -> Download Rules
Hmmm... Why do I get the feeling I need to upgrade Snort to version 2.84.
ReplyDelete<...Upgrading...>
Hey... I'm not even using Snort
I want to upgrade snort 2.8.4 in IPCop, I downloaded snort 2.8.4 and tried to install it in IPCop but can not.
ReplyDeleteCan you help me?
Nam, IPCop is not part of the Snort project. We have no information on it at all. Your best course of action is to seek help at http://www.ipcop.org/
ReplyDeletethanks Nigel Houghton!
ReplyDeletebecause IPCop use snort 2.6.1.5 and I configured IDS/Snort and has Error.Every body said that I should upgrade it to 2.8, but I can't Install it. ^^