Snort mailing list archives
Re: New Rules Heads Up
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 4 Nov 2011 16:09:29 -0400
Http://blog.snort.org I post EVERYTHING there. I also posted this change to the list. Before the ruleset went out. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Nov 4, 2011, at 3:39 PM, Gibson, Nathan J. (HSC) wrote:
Hey all, How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are added to the rule set. For example it seems a variable “$FILE_DATA_PORTS” was introduced last night that bombed out my snort. Just wondering if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle of the night. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;) GIBBY _____________________________ Nathan J. Gibson, MsIA, CISSP, CISM,CCNA, MCSA IT Architect Infrastructure Services The University of Oklahoma HSC voice: 405.271.2644 x50340 fax: 405.271.2181 Feedback? Email comments to Chris Hodges -------------------------- CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments. ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New Rules Heads Up Gibson, Nathan J. (HSC) (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)
- Re: New Rules Heads Up Lay, James (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)
- <Possible follow-ups>
- Re: New Rules Heads Up Gregory Zill (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)