Snort mailing list archives
Re: (no subject)
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Thu, 3 Mar 2011 17:49:36 -0700
Makes perfect sense, and what I've done to address the issue you raised at the end of your email, is keep the flowbits:set rule enabled, but create a suppress statement for it. PS. And I'm excited to see the new features! -----Original Message----- From: JJC [mailto:cummingsj () gmail com] Sent: Thursday, March 03, 2011 4:44 PM To: Jefferson, Shawn Cc: Jason Wallace; wkitty42 () windstream net; snort-users () lists sourceforge net Subject: Re: [Snort-users] (no subject) To address this, the logic behind PP does just what Jason had said... if you have rules that are looking for flowbits:isset values, it enables the respective, and required, flowbits:set values. Further, if you have specified a flowbits:set rule to be explicitly disabled in the disablesid.conf section and PP needs to automatically re-enable that due to it being a dependency of other rules, it will do so.. and Shawn, to address your concern.. that was a feature request that has been added to the current version that can be found in the svn repo. I anticipate having a release out soon, it contains numerous bug-fixes and feature enhancements.. I'm just waiting on some code commits to complete. Consider this logic re: flowbit auto re-enabling: I have 3 critical rules that look for current 0-day type traffic.. they all contain flowbits:isset,this.foo; and you disabled the rule that contains flowbits:set,this.foo; because it was generating an event like "POLICY this schmuck downloaded tha foo!" and you did not want to see that. By disabling, and subsequently not re-enabling the rule containing flowbits:set,this.foo; you would be silently disabling the other 3 critical rules that relied on that flowbit, make sense? JJC ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) sasa susmanto (Mar 01)
- Re: (no subject) Joel Esler (Mar 01)
- Re: (no subject) Alan Ptak (Mar 02)
- Re: (no subject) waldo kitty (Mar 02)
- Re: (no subject) Jason Wallace (Mar 03)
- Re: (no subject) Jefferson, Shawn (Mar 03)
- Re: (no subject) JJC (Mar 03)
- Re: (no subject) Jefferson, Shawn (Mar 03)
- Re: (no subject) Dave Venman (Mar 03)
- Re: (no subject) Joel Esler (Mar 04)
- Re: (no subject) Alan Ptak (Mar 02)
- Re: (no subject) Joel Esler (Mar 01)
- <Possible follow-ups>
- (no subject) sasa susmanto (Mar 02)
- Re: (no subject) Alan Ptak (Mar 02)