[Snort-sigs] flowbits: file.wmp_playlist

waldo kitty wkitty42 at ...3507...
Wed May 29 10:57:35 EDT 2013


there is no check rule in the *.rules files for flowbits: file.wmp_playlist...


registered subscriber using latest rules pulled 26 May 2013 for

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.4.1 GRE (Build 69)
    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
            Using libpcap version 1.1.1
            Using PCRE version: 7.8 2008-09-05
            Using ZLIB version: 1.2.6



May 26 04:25:44 frodo snort[22314]: WARNING: flowbits key 'file.wmp_playlist' is 
set but not ever checked.


$ grep -E "file.wmp_playlist" /path/to/snort/*rules*/*.rules

/path/to/snort/rules/file-identify.rules:alert tcp $EXTERNAL_NET 554 -> 
$HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Media Player playlist 
download"; flow:to_client,established; 
content:"WMS_CONTENT_DESCRIPTION_PLAYLIST_ENTRY_START_OFFSET"; 
fast_pattern:only; flowbits:set,file.wmp_playlist; flowbits:noalert; 
classtype:misc-activity; sid:14264; rev:12;)


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-sigs mailing list