Re: New Rules Heads Up

["Lay, James" <james.lay () wincofoods com>]

Hey all,
 
How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are added 
to the rule set.
 
 
For example it seems a variable "$FILE_DATA_PORTS" was introduced last night that bombed out my snort. Just wondering 
if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle of 
the night.
 
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; 
flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; 
flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;)
 

GIBBY


Gibby,

Not sure of your setup, but I can tell you that I have my rules downloaded about 10 minutes into my work day...so I can 
monitor my logs.  Also, again, not sure of your setup, I've found a log monitor capable of emailing when...say the word 
FATAL is seen to send you an email.  Nothing worse than the "ugh..my IDS hasn't been running since midnight" feeling 
when you come into work.

James

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!