[Snort-sigs] flowbits: netsenum
jesler at ...435...
Thu May 30 17:54:32 EDT 2013
On May 30, 2013, at 5:24 PM, waldo kitty <wkitty42 at ...3507...> wrote:
> On 5/30/2013 16:28, Joel Esler wrote:
>> On May 30, 2013, at 4:05 PM, waldo kitty <wkitty42 at ...3507...
>> <mailto:wkitty42 at ...3507...>> wrote:
>>> what i ran into and the reason for my original posts, was that the bits were set
>>> but there was nothing to check them... no indication of a SO only rule or just a
>>> forgotten or commented out standard alert rule... that's why i ran my grep to
>>> find out if there was a rule disabled by default for those flowbits setters...
>>> if there was and it was disabled by default, then it might either need to be
>>> enabled by default or the flowbits setter rule should also be disabled by default…
>> And it is much appreciated it. I love the feedback, I'm trying to make the "out
>> of the box" policy as good as I can get it, if you adjust from there, that's on you.
> agreed! glad you appreciate the feedback... it helps to keep "us" from drinking
> too much during "game time" ;) ;) O:)
We do appreciate the feedback, it's how we get better.
>>> as far as SO rules go, i don't know about other environments but ours does not
>>> use them by default... it requires specific and manual intervention to enable
>>> them as well as making them work (generating the stubs in the proper place and
>>> updating them when they change)... the fact that our environment it its own
>>> distribution and not one of the big name brand one adds complication to the
>>> process since they are distributed only in compiled form…
>> Well, from our perspective, we ship them in a "default" state. If people choose
>> not to use the SOs, or can't, then that's a use case we can't work around.
> the main problem, as noted above, is that it is not easy to tell which OS
> version compilation will work in our environment... at one time we were able to
> use Centos-4.6 but that changed in later releases... then the Centos stuff
> didn't work at all for a bit and folks were forced to disable the SO rules
> because of snort crashing... i'm not sure which compilation might work these
> days so it is not something supported out of our box... that's why i stated
> "specific and manual intervention" ;)
> when the drummer's drumbeat keeps changing beat count randomly and at random
> points in time, it is best to find a sane and consistent drummer to march to
> instead of keeping on stumbling and fumbling around... we've done that by
> avoiding the SO rules in our official packages and support O:)
I understand what you are saying. We follow a pretty strict EOL policy (http://www.snort.org/vrt/rules/eol_policy), and we follow the same line of thinking for the OS builds on our backend that compile these as well.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs