[Snort-sigs] flowbits: file.wma
jesler at ...435...
Wed May 29 11:20:46 EDT 2013
On May 29, 2013, at 10:58 AM, waldo kitty <wkitty42 at ...3507...> wrote:
> there is no check rule in the *.rules files for flowbits: file.wma…
It's checked in an SO rule.
> SID:15921 - should mention HTTP since that is the checked vector?
> SID:12972 - should clarify inbound to client?
> SID:23188 - should mention inbound via pop3/imap2 to client for clarity?
We have a standard naming convention for file-identify rules. Since they are all set to "noalert", you'll never see the msg verbiage anyway in your alert console.
> SID:23189 - should mention outbound via SMTP to server for clarity?
> SID:23732 - should mention outbound via SMTP to server for clarity?
They aren't outbound, they are inbound, also, see above.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs