flowbits: file.wma

[waldo kitty <wkitty42 () windstream net>]

there is no check rule in the *.rules files for flowbits: file.wma...

additionally:
   SID:15921 - should mention HTTP since that is the checked vector?
   SID:12972 - should clarify inbound to client?
   SID:23188 - should mention inbound via pop3/imap2 to client for clarity?
   SID:23189 - should mention outbound via SMTP to server for clarity?
   SID:23732 - should mention outbound via SMTP to server for clarity?

registered subscriber using latest rules pulled 26 May 2013 for

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.4.1 GRE (Build 69)
    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
            Using libpcap version 1.1.1
            Using PCRE version: 7.8 2008-09-05
            Using ZLIB version: 1.2.6



May 26 04:25:44 frodo snort[22314]: WARNING: flowbits key 'file.wma' is set but 
not ever checked.

$ grep -E "file.wma" /path/to/snort/*rules*/*.rules

/path/to/snort/rules/file-identify.rules:alert tcp $HOME_NET any -> 
$EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft multimedia format file 
download request"; flow:to_server,established; content:".wma"; 
fast_pattern:only; http_uri; pcre:"/\x2ewma([\?\x5c\x2f]|$)/smiU"; 
flowbits:set,file.wma&file.asx; flowbits:noalert; metadata:service http; 
reference:url,en.wikipedia.org/wiki/Windows_Media_Audio; 
classtype:misc-activity; sid:15921; rev:15;)

/path/to/snort/rules/file-identify.rules:alert tcp $EXTERNAL_NET 
$FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Media Player 
asf/wmv/wma file magic detected"; flow:to_client,established; file_data; 
content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C| Se"; content:" |DB FE 4C F6 55 
CF 11 9C 0F 00 A0 C9 03 49 CB|"; within:16; distance:8; flowbits:set,file.asf; 
flowbits:set,file.wmv; flowbits:set,file.wma; flowbits:noalert; metadata:service 
http, service imap, service pop3; classtype:misc-activity; sid:12972; rev:13;)

/path/to/snort/rules/file-identify.rules:alert tcp $EXTERNAL_NET [110,143] -> 
$HOME_NET any (msg:"FILE-IDENTIFY Windows Media Metafile file attachment 
detected"; flow:to_client,established; content:".wma"; fast_pattern:only; 
content:"Content-Disposition: attachment|3B|"; content:"filename=|22|"; nocase; 
pcre:"/filename=\x22[^\x22]*\x2ewma\x22/i"; flowbits:set,file.asx&file.wma; 
flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; 
sid:23188; rev:2;)

/path/to/snort/rules/file-identify.rules:alert tcp $EXTERNAL_NET any -> 
$SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows Media Metafile file attachment 
detected"; flow:to_server,established; content:".wma"; fast_pattern:only; 
content:"Content-Disposition: attachment|3B|"; content:"filename=|22|"; nocase; 
pcre:"/filename=\x22[^\x22]*\x2ewma\x22/i"; flowbits:set,file.asx&file.wma; 
flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23189; rev:3;)

/var/smoothwall/snort/rules/file-identify.rules:alert tcp $EXTERNAL_NET any -> 
$SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Media Player .asf file magic 
detected"; flow:to_server,established; file_data; content:"|01 CD 87 F4 51 A9 CF 
11 8E E6 00 C0 0C| Se"; content:" |DB FE FC F6 55 CF 11 9C 0F 00 A0 C9 03 49 
CB|"; within:16; distance:8; flowbits:set,file.asf; flowbits:set,file.wmv; 
flowbits:set,file.wma; flowbits:noalert; metadata:service smtp; 
classtype:misc-activity; sid:23732; rev:5;)


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!