[Snort-sigs] flowbits: netsenum
wkitty42 at ...3507...
Thu May 30 14:23:08 EDT 2013
On 5/30/2013 07:01, Joel Esler wrote:
> On May 29, 2013, at 7:53 PM, waldo kitty<wkitty42 at ...3507...> wrote:
>>>> additionally, both existing rules' MSG are identical... one should
>>>> speak of "to client" and the other "to server" in the MSG for
>>> The "set" rule is noalert. You'll never see it alert.
>> true but perhaps someone sets them to show an alert? ;)
> Is that something you do? I'm not asking that to be a smartass, I'm asking
> if that's actually a use case that I haven't studied.
we have had some folks do that so they could follow thru with the processing
flow and the rules that are seen... it was a mess that some of them regretted
having done and a revert of the updater's conf along with a new rules pack
download sussed that...
at least they were smart enough to also adjust the priority to 5 or higher so
the reactive alert blocking mechanism didn't go blocking the entire internet
based on them ;)
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-sigs