Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: flowbits: file.wma

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 29 May 2013 11:20:46 -0400
On May 29, 2013, at 10:58 AM, waldo kitty <wkitty42 () windstream net> wrote:



there is no check rule in the *.rules files for flowbits: file.wma…


It's checked in an SO rule.



additionally:
  SID:15921 - should mention HTTP since that is the checked vector?
  SID:12972 - should clarify inbound to client?
  SID:23188 - should mention inbound via pop3/imap2 to client for clarity?


We have a standard naming convention for file-identify rules.  Since they are all set to "noalert", you'll never see 
the msg verbiage anyway in your alert console.


  SID:23189 - should mention outbound via SMTP to server for clarity?
  SID:23732 - should mention outbound via SMTP to server for clarity?



They aren't outbound, they are inbound, also, see above.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: