[Snort-sigs] flowbits:set SID:15730 SID:16093

Alex Kirk akirk at ...435...
Wed Dec 30 16:36:29 EST 2009


Just to clarify, by "SEU" I mean "rule release" (I've had off-list comment
noting that non-SF customers may not be familiar with the term SEU). Not
trying to confuse/hype SF, just used the wrong term.

On Wed, Dec 30, 2009 at 4:14 PM, Alex Kirk <akirk at ...435...> wrote:

> Not errors on your part, actually good catches.
>
> I'm not sure what happened with the first flowbit, since we've got no
> record of ever having a second rule that would have used that flowbit. It's
> been deleted over here, and will go out that way in the next SEU.
>
> The second flowbit had a rule that used it in our tracking system, and
> somehow that rule never made it into the SEU - probably an error on my part
> while doing a manual add, since I'm the one who committed the rule with the
> flowbit. It's been added now, and will be out in the next SEU.
>
>
> On Wed, Dec 30, 2009 at 3:50 PM, Jason Wallace <jason.r.wallace at ...2420...>wrote:
>
>> Hi,
>>
>> sid:15730 uses  flowbits:set,trojan.delf.post; but there is no other
>> rule which uses this flowbit...
>>
>> sid:16093 uses flowbits:set,BugsPrey_detection; flowbits:noalert; but
>> again there is no other rule which uses this flowbit.
>>
>> Are these errors or am I somehow missing rules? I'm using
>> snortrules-snapshot-2.8.tar.gz for registered users and the
>> precompiled rules for 2.8.5
>>
>> Thx,
>> Wally
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Verizon Developer Community
>> Take advantage of Verizon's best-in-class app development support
>> A streamlined, 14 day to market process makes app distribution fast and
>> easy
>> Join now and get one step closer to millions of Verizon customers
>> http://p.sf.net/sfu/verizon-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
>
>
> --
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...435...
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091230/674ee905/attachment.html>


More information about the Snort-sigs mailing list