[Snort-sigs] flowbits: netsenum

Joel Esler jesler at ...435...
Thu May 30 17:54:32 EDT 2013


On May 30, 2013, at 5:24 PM, waldo kitty <wkitty42 at ...3507...> wrote:
> On 5/30/2013 16:28, Joel Esler wrote:
>> On May 30, 2013, at 4:05 PM, waldo kitty <wkitty42 at ...3507...
>> <mailto:wkitty42 at ...3507...>> wrote:
>> 
>>> what i ran into and the reason for my original posts, was that the bits were set
>>> but there was nothing to check them... no indication of a SO only rule or just a
>>> forgotten or commented out standard alert rule... that's why i ran my grep to
>>> find out if there was a rule disabled by default for those flowbits setters...
>>> if there was and it was disabled by default, then it might either need to be
>>> enabled by default or the flowbits setter rule should also be disabled by default…
>> 
>> And it is much appreciated it. I love the feedback, I'm trying to make the "out
>> of the box" policy as good as I can get it, if you adjust from there, that's on you.
> 
> agreed! glad you appreciate the feedback... it helps to keep "us" from drinking 
> too much during "game time" ;) ;) O:)

We do appreciate the feedback, it's how we get better.

>>> as far as SO rules go, i don't know about other environments but ours does not
>>> use them by default... it requires specific and manual intervention to enable
>>> them as well as making them work (generating the stubs in the proper place and
>>> updating them when they change)... the fact that our environment it its own
>>> distribution and not one of the big name brand one adds complication to the
>>> process since they are distributed only in compiled form…
>> 
>> Well, from our perspective, we ship them in a "default" state. If people choose
>> not to use the SOs, or can't, then that's a use case we can't work around.
> 
> the main problem, as noted above, is that it is not easy to tell which OS 
> version compilation will work in our environment... at one time we were able to 
> use Centos-4.6 but that changed in later releases... then the Centos stuff 
> didn't work at all for a bit and folks were forced to disable the SO rules 
> because of snort crashing... i'm not sure which compilation might work these 
> days so it is not something supported out of our box... that's why i stated 
> "specific and manual intervention" ;)
> 
> when the drummer's drumbeat keeps changing beat count randomly and at random 
> points in time, it is best to find a sane and consistent drummer to march to 
> instead of keeping on stumbling and fumbling around... we've done that by 
> avoiding the SO rules in our official packages and support O:)

I understand what you are saying.  We follow a pretty strict EOL policy (http://www.snort.org/vrt/rules/eol_policy), and we follow the same line of thinking for the OS builds on our backend that compile these as well.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130530/44e0da23/attachment.html>


More information about the Snort-sigs mailing list