Snort mailing list archives
Re: New Rules Heads Up
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 4 Nov 2011 16:44:29 -0400
Gregory, Yes, we take care of this automatically in the product. This new rule is in the new FILE-IDENTIFY rule category. It's disabled by default. The Sourcefire product and PulledPork will automatically enable it if you have any rules enabled that check the http.realplayer flowbit. Please see my post on the VRT blog here: http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html Joel On Nov 4, 2011, at 4:10 PM, Gregory Zill wrote:
Sourcefire support sends out an SEU notice via e-mail. I pull/apply new the SEU automatically once per week to allow review. Also, Sourcefire enables variables automatically within the SEU application. However, I am not finding the ID 20456 searching through Snort, Emerging or Sourcefire rule bases. On Fri, Nov 4, 2011 at 2:39 PM, <snort-users-request () lists sourceforge net> wrote:------------------------------ Message: 6 Date: Fri, 4 Nov 2011 14:39:01 -0500 From: "Gibson, Nathan J. (HSC)" <Nathan-Gibson () ouhsc edu> Subject: [Snort-users] New Rules Heads Up To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <B30DD99805FB504981E5411867CF4B9C27A97670FF () ENZO hsc net ou edu> Content-Type: text/plain; charset="us-ascii" Hey all, How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are added to the rule set. For example it seems a variable "$FILE_DATA_PORTS" was introduced last night that bombed out my snort. Just wondering if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle of the night. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;) GIBBY-- Gregory W Zill ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New Rules Heads Up Gibson, Nathan J. (HSC) (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)
- Re: New Rules Heads Up Lay, James (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)
- <Possible follow-ups>
- Re: New Rules Heads Up Gregory Zill (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)
- Re: New Rules Heads Up Joel Esler (Nov 04)