[Snort-users] New Rules Heads Up
Gibson, Nathan J. (HSC)
Nathan-Gibson at ...15095...
Fri Nov 4 15:39:01 EDT 2011
How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are added to the rule set.
For example it seems a variable "$FILE_DATA_PORTS" was introduced last night that bombed out my snort. Just wondering if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle of the night.
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;)
Nathan J. Gibson, MsIA, CISSP, CISM,CCNA, MCSA
The University of Oklahoma HSC
voice: 405.271.2644 x50340
Feedback? Email comments to Chris Hodges<mailto:chris-hodges at ...15095...?subject=Heads%20up%20about%20Gibby>
CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users