[Snort-devel] File magic rules for 2.9.6, what options are required?

Joel Esler (jesler) jesler at ...3461...
Thu Dec 26 22:16:50 EST 2013


Thanks Joshua, one of the devels will get back to you.  

I just wanted to comment on the Smart Quotes part.  I think OSX is using smart quotes now in Mavericks. 

--
Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team

Sent from my iPhone.  

> On Dec 26, 2013, at 15:45, "Joshua Kinard" <kumba at ...2185...> wrote:
> 
> 
> Doing a quick glance at the new file magic "rules" that one can specify in
> 2.9.6 RC, I am not directly seeing a definition of which of the options are
> required and which aren't.
> 
> So far, it looks like I can write this:
>    file type:FOO;
> 
> And ~/bin/snort -c local.rules -T parses w/o error.
> 
> Logically, my guess is that the following option keywords are going to be
> required for a 'file' definition to work correctly:
>    type
>    id
>    msg
>    content
> 
> With these being optional:
>    ver
>    category
>    group (required only if >1 definition of 'type')
>    offset (assumed 0 if not specified)
>    rev (assumed 1 if not specified)
> 
> Does this sound about right?
> 
> 
> Also, doc/README.file, there's two minor errors on lines 241 and 243.  First
> is the use of "smart quotes" on the 'msg' keyword and 'sid' instead of 'id'.
> Someone wrote part of this in MS Office, didn't they? :)
> 
> --J
> 
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT 
> organizations don't have a clear picture of how application performance 
> affects their revenue. With AppDynamics, you get 100% visibility into your 
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list