Snort mailing list archives
File magic rules for 2.9.6, what options are required?
From: Joshua Kinard <kumba () gentoo org>
Date: Thu, 26 Dec 2013 15:41:18 -0500
Doing a quick glance at the new file magic "rules" that one can specify in 2.9.6 RC, I am not directly seeing a definition of which of the options are required and which aren't. So far, it looks like I can write this: file type:FOO; And ~/bin/snort -c local.rules -T parses w/o error. Logically, my guess is that the following option keywords are going to be required for a 'file' definition to work correctly: type id msg content With these being optional: ver category group (required only if >1 definition of 'type') offset (assumed 0 if not specified) rev (assumed 1 if not specified) Does this sound about right? Also, doc/README.file, there's two minor errors on lines 241 and 243. First is the use of "smart quotes" on the 'msg' keyword and 'sid' instead of 'id'. Someone wrote part of this in MS Office, didn't they? :) --J ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 26)
- Re: File magic rules for 2.9.6, what options are required? Joel Esler (jesler) (Dec 26)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joel Esler (jesler) (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Hui Cao (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Victor Roemer (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joel Esler (jesler) (Dec 26)