Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: File-identify category

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 5 Jan 2012 12:07:10 -0500
On Jan 5, 2012, at 11:54 AM, Peter Bates wrote:


Hello all...

Okay, so I've read
http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html

At the moment in the ruleset there are 235 rules, of which 159 seem to
be enabled.


Eventually I'd like to get to the point where most of these are disabled and we rely on a PulledPork (or the Sourcefire 
product) to enable the rules that are needed.  People are still using other tools that don't support flowbit resolution 
though.  



I understand the purpose is to identify certain filetypes and then set
a flowbit on them which is being used in other rulesets
(exploit.rules, web-client.rules).


Correct.



25 of the rules have 'noalert' set - I'm not particularly interested
in the actual download itself and I'm now seeing that SIDs

 18758 FILE-IDENTIFY Microsoft Windows Visual Basic script file
download request
   18983 FILE-IDENTIFY Apple Mach-O executable file magic detection
   15306 FILE-IDENTIFY Portable Executable binary file magic detection



The rules in that category that are NOT set to noalert mean that we are giving users the option to drop that type of 
file from entering the  network totally.  Say, if you want to disallow someone downloading an executable, you can set 
the rule to drop.  If you are not running inline, and you don't want to observe these downloads, just suppress them.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: