Correct.<div><br></div><div>If you have the var in snort.conf, it shouldn't matter which rule file we put it in.  That being said, I assume your "I wasn't" comment means you aren't using file-identify.rules.  <br>
<br></div><div>We moved most of the rules that "Set" flowbits into this file.  Meaning that if you are not using this rule file, that means that many of your flowbits are not being set that, increasingly, other rules are using.  So this file is extremely important.</div>
<div><br></div><div><a href="http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html">http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html</a></div><div><br></div><div>We write our rules and turn then on or off with the thought process that you are either using Sourcefire's Defense Center, or pulledpork.  As both of these handle flowbit dependancies and default policy selection.</div>
<div><br></div><div>Joel</div><div><br><div class="gmail_quote">On Thu, Dec 8, 2011 at 9:23 AM, Michael Scheidell <span dir="ltr"><<a href="mailto:michael.scheidell@...1331...">michael.scheidell@...1331...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I wasn’t.. but problem is that the new var got put into web-client.rules last night.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Your blog doesn’t mention that LEGACY rule sets would be affected.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#1f497d"><u></u> <u></u></span></b></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Again:<u></u><u></u></span></p><div class="im"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal">In theory, there is no difference between theory and practice.<br>In practice, there is.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
</div></div></blockquote></div></blockquote></div></div></blockquote></div><br></div>