Snort mailing list archives
Re: File magic rules for 2.9.6, what options are required?
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 27 Dec 2013 03:16:50 +0000
Thanks Joshua, one of the devels will get back to you. I just wanted to comment on the Smart Quotes part. I think OSX is using smart quotes now in Mavericks. -- Joel Esler Intelligence Lead Open Source Manager Vulnerability Research Team Sent from my iPhone.
On Dec 26, 2013, at 15:45, "Joshua Kinard" <kumba () gentoo org> wrote: Doing a quick glance at the new file magic "rules" that one can specify in 2.9.6 RC, I am not directly seeing a definition of which of the options are required and which aren't. So far, it looks like I can write this: file type:FOO; And ~/bin/snort -c local.rules -T parses w/o error. Logically, my guess is that the following option keywords are going to be required for a 'file' definition to work correctly: type id msg content With these being optional: ver category group (required only if >1 definition of 'type') offset (assumed 0 if not specified) rev (assumed 1 if not specified) Does this sound about right? Also, doc/README.file, there's two minor errors on lines 241 and 243. First is the use of "smart quotes" on the 'msg' keyword and 'sid' instead of 'id'. Someone wrote part of this in MS Office, didn't they? :) --J ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 26)
- Re: File magic rules for 2.9.6, what options are required? Joel Esler (jesler) (Dec 26)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joel Esler (jesler) (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Hui Cao (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Victor Roemer (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joshua Kinard (Dec 27)
- Re: File magic rules for 2.9.6, what options are required? Joel Esler (jesler) (Dec 26)