Snort mailing list archives
Re: flowbits: file.wma
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 29 May 2013 11:20:46 -0400
On May 29, 2013, at 10:58 AM, waldo kitty <wkitty42 () windstream net> wrote:
there is no check rule in the *.rules files for flowbits: file.wma…
It's checked in an SO rule.
additionally: SID:15921 - should mention HTTP since that is the checked vector? SID:12972 - should clarify inbound to client? SID:23188 - should mention inbound via pop3/imap2 to client for clarity?
We have a standard naming convention for file-identify rules. Since they are all set to "noalert", you'll never see the msg verbiage anyway in your alert console.
SID:23189 - should mention outbound via SMTP to server for clarity? SID:23732 - should mention outbound via SMTP to server for clarity?
They aren't outbound, they are inbound, also, see above. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- flowbits: file.wma waldo kitty (May 29)
- Re: flowbits: file.wma Joel Esler (May 29)