[Snort-sigs] flowbits: file.wma

Joel Esler jesler at ...435...
Wed May 29 11:20:46 EDT 2013


On May 29, 2013, at 10:58 AM, waldo kitty <wkitty42 at ...3507...> wrote:

> 
> there is no check rule in the *.rules files for flowbits: file.wma…

It's checked in an SO rule.

> 
> additionally:
>   SID:15921 - should mention HTTP since that is the checked vector?
>   SID:12972 - should clarify inbound to client?
>   SID:23188 - should mention inbound via pop3/imap2 to client for clarity?

We have a standard naming convention for file-identify rules.  Since they are all set to "noalert", you'll never see the msg verbiage anyway in your alert console.

>   SID:23189 - should mention outbound via SMTP to server for clarity?
>   SID:23732 - should mention outbound via SMTP to server for clarity?


They aren't outbound, they are inbound, also, see above.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130529/d97a7c0e/attachment.html>


More information about the Snort-sigs mailing list