Home page logo

snort logo Snort mailing list archives

Re: New snort.conf
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 30 Dec 2010 00:57:40 +0000

On 12/29/2010 9:26 PM, Crook, Parker wrote:
So I finally made the push to start migrating everything to 2.9 in its latest iteration ( as things have 
cooled down in both of the environments I run (CentOS & Debian).  After compilation I started migrating and found the 
below snippet as a header in my new snort.conf file.  Great information -- Well done guys!

#   VRT Rule Packages Snort.conf
#   For more information visit us at:
#     http://www.snort.org                   Snort Website
#     http://vrt-sourcefire.blogspot.com/    Sourcefire VRT Blog
#     Mailing list Contact:      snort-sigs () lists sourceforge net
#     False Positive reports:    fp () sourcefire com
#     Snort bugs:                bugs () snort org
#     Compatible with Snort Versions:
#     VERSIONS :
#     Snort build options:
#     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules 
--enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload 
--enable-react --enable-flexresp3

I'm really excited to see the snort build options listed in here, as it shows me what is really going on when I run:
./configure --enable-ipv6 --enable-decoder-preprocessor-rules --enable-sourcefire --enable-targetbased 
--enable-perfprofiling --enable-reload --enable-dynamicplugin

After being puzzled for a minute I went through the configure options and noted that dynamicplugin is enabled by 
default, so I can see why that is left out, so I suppose the -enable-sourcefire turns on the following:
Is that a correct assessment?


P.S.  Perhaps consider adding a line in the "For more information visit us at" section pointing to the new Snort Blog?


That info (compile options) has been in the snort.conf that was
distributed with the VRT version of the rules for some time. It just
wasn't in the snort.conf that was distributed with the source, however
they have fixed that and the source now also has the correct snort.conf
version. There was also a bunch of differences in how http_inspect was
configured. More info here:


Everyone should really review their snort.conf and if you have the old
stuff still lingering that you were using as a skeleton conf, you should
trash it and go with the new source or the existing VRT conf to make
sure things are configured correctly.

-- Eoin

Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]