[Snort-sigs] flowbits: netsenum

Joel Esler jesler at ...435...
Thu May 30 14:53:45 EDT 2013


On May 30, 2013, at 2:23 PM, waldo kitty <wkitty42 at ...3507...> wrote:
> On 5/30/2013 07:01, Joel Esler wrote:
>> 
>> On May 29, 2013, at 7:53 PM, waldo kitty<wkitty42 at ...3507...>  wrote:
>> 
>>>>> additionally, both existing rules' MSG are identical... one should
>>>>> speak of "to client" and the other "to server" in the MSG for
>>>>> clarity??
>>>> 
>>>> The "set" rule is noalert. You'll never see it alert.
>>> 
>>> true but perhaps someone sets them to show an alert? ;)
>> 
>> Is that something you do?  I'm not asking that to be a smartass, I'm asking
>> if that's actually a use case that I haven't studied.
> 
> we have had some folks do that so they could follow thru with the processing 
> flow and the rules that are seen... it was a mess that some of them regretted 
> having done and a revert of the updater's conf along with a new rules pack 
> download sussed that...
> 
> at least they were smart enough to also adjust the priority to 5 or higher so 
> the reactive alert blocking mechanism didn't go blocking the entire internet 
> based on them ;)

I can see the context for them may be interesting, but in the grand scheme of things, I don't know if it's truly necessary.  I mean, if this is something that people want, I can do it, but it doesn't seem to be high on the priority list.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130530/5476b619/attachment.html>


More information about the Snort-sigs mailing list