Re: New Rules Heads Up

[Joel Esler <jesler () sourcefire com>]

Http://blog.snort.org

I post EVERYTHING there.

I also posted this change to the list.  Before the ruleset went out.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Nov 4, 2011, at 3:39 PM, Gibson, Nathan J. (HSC) wrote:

> Hey all,
>  
> How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are 
> added to the rule set.
>  
>  
> For example it seems a variable “$FILE_DATA_PORTS” was introduced last night that bombed out my snort. Just wondering 
> if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle 
> of the night.
>  
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; 
> flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; 
> flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;)
>  
>  
>  
>  
> GIBBY
> _____________________________
> Nathan J. Gibson, MsIA, CISSP, CISM,CCNA, MCSA
> IT Architect
> Infrastructure Services
> The University of Oklahoma HSC
> voice: 405.271.2644 x50340
> fax:    405.271.2181
> Feedback?  Email comments to Chris Hodges
> --------------------------
> CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged 
> information for the use of the designated recipients named above. If you are not the intended recipient, you are 
> hereby notified that you have received this communication in error and that any review, disclosure, dissemination, 
> distribution or copying of it or its contents is prohibited. If you have received this communication in error, please 
> destroy all copies of this communication and any attachments.
>  
>  
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!