Re: (no subject)

[JJC <cummingsj () gmail com>]

To address this, the logic behind PP does just what Jason had said...
if you have rules that are looking for flowbits:isset values, it
enables the respective, and required, flowbits:set values.

Further, if you have specified a flowbits:set rule to be explicitly
disabled in the disablesid.conf section and PP needs to automatically
re-enable that due to it being a dependency of other rules, it will do
so.. and Shawn, to address your concern.. that was a feature request
that has been added to the current version that can be found in the
svn repo.  I anticipate having a release out soon, it contains
numerous bug-fixes and feature enhancements.. I'm just waiting on some
code commits to complete.

Consider this logic re: flowbit auto re-enabling:

I have 3 critical rules that look for current 0-day type traffic..
they all contain flowbits:isset,this.foo; and you disabled the rule
that contains flowbits:set,this.foo; because it was generating an
event like "POLICY this schmuck downloaded tha foo!" and you did not
want to see that.  By disabling, and subsequently not re-enabling the
rule containing flowbits:set,this.foo; you would be silently disabling
the other 3 critical rules that relied on that flowbit, make sense?

JJC

On Thu, Mar 3, 2011 at 10:04 AM, Jefferson, Shawn
<Shawn.Jefferson () bcferries com> wrote:
> I don't believe that it does, and if you have rules enabled that rely on a flowbit being set, then you probably want 
> that rule that sets the flowbit enabled, IMO.  A weakness, I think of pulledpork, is that it didn't tell the user 
> what rules it was re-enabling in the past, maybe it does now?
>
> -----Original Message-----
> From: Jason Wallace [mailto:jason.r.wallace () gmail com]
> Sent: Thursday, March 03, 2011 5:07 AM
> To: wkitty42 () windstream net
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] (no subject)
>
> I'm not positive but I believe it enables only the ones that are actually needed based on what is actually needed. 
> Meaning if a rule is enabled that uses flowbits:isset,http.quicktime; and the rule(s) that contain 
> flowbits:set,http.quicktime; are disabled then it will enable that/those rules. I do not think it enables every 
> flowbits:set rule.
>
>
> On Wed, Mar 2, 2011 at 9:42 PM, waldo kitty <wkitty42 () windstream net> wrote:
>
> > 2. how can/does PP handle the possibility of enabling only one or two
> > of the flowbits setting rules if not all of them are desired to be enabled?
>
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT data
> generated by your applications, servers and devices whether physical, virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users