Snort mailing list archives
Re: New Rules Heads Up
From: "Lay, James" <james.lay () wincofoods com>
Date: Fri, 4 Nov 2011 15:11:29 -0600
Hey all, How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are added to the rule set. For example it seems a variable "$FILE_DATA_PORTS" was introduced last night that bombed out my snort. Just wondering if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle of the night. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;) GIBBY Gibby, Not sure of your setup, but I can tell you that I have my rules downloaded about 10 minutes into my work day...so I can monitor my logs. Also, again, not sure of your setup, I've found a log monitor capable of emailing when...say the word FATAL is seen to send you an email. Nothing worse than the "ugh..my IDS hasn't been running since midnight" feeling when you come into work. James ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New Rules Heads Up Gibson, Nathan J. (HSC) (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)
- Re: New Rules Heads Up Lay, James (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)
- <Possible follow-ups>
- Re: New Rules Heads Up Gregory Zill (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)