Re: metadata questions

["Morris, Shane (US SSA)" <shane.morris () baesystems com>]

I think your right if I use a metadata with some informational key like "metadata:author me" it should because like you 
said Snort doesn't require you to specify a service.

I know this is a bit out of scope for this forum but could you tell me how I could do this in SF 5.x because you have 
to specify a service?

Thanks, Shane

From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Friday, May 31, 2013 11:02 AM
To: Morris, Shane (US SSA)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] metadata questions

On May 30, 2013, at 8:34 PM, "Morris, Shane (US SSA)" <shane.morris () baesystems com<mailto:shane.morris () baesystems 
com>> wrote:


If we want this to fire in both http and non http streams (non-defined protocol), how do we do this?

A rule with metadata should fire on both.  I think.  I'd have to test it.


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!