Re: Windows so rules

["John York" <YorkJ () brcc edu>]

I guess that pretty well rules out Windows as a Snort OS--have to break the "windows-only shop" rule.  Thanks for 
twisting my arm ;)
John

________________________________

From: jcummings () sourcefire com on behalf of JJ Cummings
Sent: Thu 6/11/2009 1:37 PM
To: John York
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Windows so rules


I would suggest looking at the stub files within the rules tarball to see what types of detection that you are not 
getting, then determining how important that those are to you.

A simple example would be conficker.. there are several SO rules to detect conficker esq activity...

JJC


On Thu, Jun 11, 2009 at 10:21 AM, John York <YorkJ () brcc edu> wrote:


        Is there support for the so rules on Windows?  (I found an old FAQ that
        said it was not, but that was in Google cache and didn't make it to the
        new snort.org <https://bramail.brcc.edu/exchweb/bin/redir.asp?URL=http://snort.org/>  site.)  How badly is 
Snort VRT subscription rule set
        crippled if so rules aren't active?
        Thanks
        John
        


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users