Re: New Rules Heads Up

[Joel Esler <jesler () sourcefire com>]

Gregory,

Yes, we take care of this automatically in the product.

This new rule is in the new FILE-IDENTIFY rule category.  It's disabled by default.

The Sourcefire product and PulledPork will automatically enable it if you have any rules enabled that check the 
http.realplayer flowbit.

Please see my post on the VRT blog here:
http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html

Joel

On Nov 4, 2011, at 4:10 PM, Gregory Zill wrote:

> Sourcefire support sends out an SEU notice via e-mail. I pull/apply
> new the SEU automatically once per week to allow review. Also,
> Sourcefire enables variables automatically within the SEU application.
>
> However, I am not finding the ID 20456 searching through Snort,
> Emerging or Sourcefire rule bases.
>
> On Fri, Nov 4, 2011 at 2:39 PM,
> <snort-users-request () lists sourceforge net> wrote:
> > ------------------------------
> >
> > Message: 6
> > Date: Fri, 4 Nov 2011 14:39:01 -0500
> > From: "Gibson, Nathan J. (HSC)" <Nathan-Gibson () ouhsc edu>
> > Subject: [Snort-users] New Rules Heads Up
> > To: "snort-users () lists sourceforge net"
> >        <snort-users () lists sourceforge net>
> > Message-ID:
> >        <B30DD99805FB504981E5411867CF4B9C27A97670FF () ENZO hsc net ou edu>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Hey all,
> >
> > How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are 
> > added to the rule set.
> >
> >
> > For example it seems a variable "$FILE_DATA_PORTS" was introduced last night that bombed out my snort. Just 
> > wondering if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in 
> > the middle of the night.
> >
> > alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; 
> > flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; 
> > flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;)
> >
> >
> >
> >
> > GIBBY
>
> -- 
> Gregory W Zill
>
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!