[Snort-sigs] flowbits: netsenum
jesler at ...435...
Thu May 30 14:53:45 EDT 2013
On May 30, 2013, at 2:23 PM, waldo kitty <wkitty42 at ...3507...> wrote:
> On 5/30/2013 07:01, Joel Esler wrote:
>> On May 29, 2013, at 7:53 PM, waldo kitty<wkitty42 at ...3507...> wrote:
>>>>> additionally, both existing rules' MSG are identical... one should
>>>>> speak of "to client" and the other "to server" in the MSG for
>>>> The "set" rule is noalert. You'll never see it alert.
>>> true but perhaps someone sets them to show an alert? ;)
>> Is that something you do? I'm not asking that to be a smartass, I'm asking
>> if that's actually a use case that I haven't studied.
> we have had some folks do that so they could follow thru with the processing
> flow and the rules that are seen... it was a mess that some of them regretted
> having done and a revert of the updater's conf along with a new rules pack
> download sussed that...
> at least they were smart enough to also adjust the priority to 5 or higher so
> the reactive alert blocking mechanism didn't go blocking the entire internet
> based on them ;)
I can see the context for them may be interesting, but in the grand scheme of things, I don't know if it's truly necessary. I mean, if this is something that people want, I can do it, but it doesn't seem to be high on the priority list.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs