[Snort-sigs] Sourcefire VRT Certified Snort Rules Update2011-12-07

Joel Esler jesler at ...435...
Thu Dec 8 09:56:48 EST 2011


Correct.

If you have the var in snort.conf, it shouldn't matter which rule file we
put it in.  That being said, I assume your "I wasn't" comment means you
aren't using file-identify.rules.

We moved most of the rules that "Set" flowbits into this file.  Meaning
that if you are not using this rule file, that means that many of your
flowbits are not being set that, increasingly, other rules are using.  So
this file is extremely important.

http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html

We write our rules and turn then on or off with the thought process that
you are either using Sourcefire's Defense Center, or pulledpork.  As both
of these handle flowbit dependancies and default policy selection.

Joel

On Thu, Dec 8, 2011 at 9:23 AM, Michael Scheidell <
michael.scheidell at ...1331...> wrote:

> I wasn’t.. but problem is that the new var got put into web-client.rules
> last night.****
>
> ** **
>
> Your blog doesn’t mention that LEGACY rule sets would be affected.****
>
> ** **
>
> * *
>
> ** **
>
> Again:****
>
> ** **
>
> In theory, there is no difference between theory and practice.
> In practice, there is.****
>
> ** **
>
> ** **
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111208/8be43e1d/attachment.html>


More information about the Snort-sigs mailing list