[Snort-sigs] flowbits: netsenum

waldo kitty wkitty42 at ...3507...
Thu May 30 14:23:08 EDT 2013


On 5/30/2013 07:01, Joel Esler wrote:
>
> On May 29, 2013, at 7:53 PM, waldo kitty<wkitty42 at ...3507...>  wrote:
>
>>>> additionally, both existing rules' MSG are identical... one should
>>>> speak of "to client" and the other "to server" in the MSG for
>>>> clarity??
>>>
>>> The "set" rule is noalert. You'll never see it alert.
>>
>> true but perhaps someone sets them to show an alert? ;)
>
> Is that something you do?  I'm not asking that to be a smartass, I'm asking
> if that's actually a use case that I haven't studied.

we have had some folks do that so they could follow thru with the processing 
flow and the rules that are seen... it was a mess that some of them regretted 
having done and a revert of the updater's conf along with a new rules pack 
download sussed that...

at least they were smart enough to also adjust the priority to 5 or higher so 
the reactive alert blocking mechanism didn't go blocking the entire internet 
based on them ;)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-sigs mailing list