<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d14658917\x26blogName\x3dWhat+Would+You+Say+It+Is+You+Do+Here?\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://blog.vitriol.net/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://blog.vitriol.net/\x26vt\x3d-1706885970164302789', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Wednesday, April 08, 2009

Upgrade to Snort 2.8.4

Sourcefire has changed the dcerpc preprocessor in Snort, so you have to upgrade to 2.8.4 if you want netbios rules to continue to work. This is the procedure I followed to upgrade my snort boxes.

Get Snort 2.8.4
# wget http://www.snort.org/dl/snort-2.8.4.tar.gz

Build and install snort

# tar zxvf snort-2.8.4.tar.gz
# cd snort-2.8.4
# ./configure --with-mysql --enable-dynamicplugin
# make
# service snort stop
# make install

Replace old netbios rules

# wget http://www.snort.org/vrt/tools/dcerpc2-snort-2.8.4-RC-1.rules
# cp /etc/snort/rules/netbios.rules /etc/snort/rules/netbios.rules.old
# cp dcerpc2-snort-2.8.4-RC-1.rules /etc/snort/rules/netbios.rules

Disable old dcerpc processor:

In snort.conf:

#preprocessor dcerpc: \
# autodetect \
# max_frag_size 3000 \
# memcap 100000

Enable new dcerpc processor

In snort.conf:

preprocessor dcerpc2
preprocessor dcerpc2_server: default

1 Comments:

Blogger Riley Porter said...

wget http://www.snort.org/vrt/tools/dcerpc2-snort-2.8.4-RC-1.rules Link is broken...

Riley

10:01 AM  

Post a Comment

<< Home