[Snort-sigs] flowbits: netsenum

Joel Esler jesler at ...435...
Thu May 30 16:28:17 EDT 2013


On May 30, 2013, at 4:05 PM, waldo kitty <wkitty42 at ...3507...> wrote:

> what i ran into and the reason for my original posts, was that the bits were set 
> but there was nothing to check them... no indication of a SO only rule or just a 
> forgotten or commented out standard alert rule... that's why i ran my grep to 
> find out if there was a rule disabled by default for those flowbits setters... 
> if there was and it was disabled by default, then it might either need to be 
> enabled by default or the flowbits setter rule should also be disabled by default…

And it is much appreciated it.  I love the feedback, I'm trying to make the "out of the box" policy as good as I can get it, if you adjust from there, that's on you.


> as far as SO rules go, i don't know about other environments but ours does not 
> use them by default... it requires specific and manual intervention to enable 
> them as well as making them work (generating the stubs in the proper place and 
> updating them when they change)... the fact that our environment it its own 
> distribution and not one of the big name brand one adds complication to the 
> process since they are distributed only in compiled form…

Well, from our perspective, we ship them in a "default" state.  If people choose not to use the SOs, or can't, then that's a use case we can't work around.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130530/ee14e24c/attachment.html>


More information about the Snort-sigs mailing list