[Snort-users] New Rules Heads Up

Gibson, Nathan J. (HSC) Nathan-Gibson at ...15095...
Fri Nov 4 15:39:01 EDT 2011

Hey all,

How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are added to the rule set.

For example it seems a variable "$FILE_DATA_PORTS" was introduced last night that bombed out my snort. Just wondering if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle of the night.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;)

Nathan J. Gibson, MsIA, CISSP, CISM,CCNA, MCSA
IT Architect
Infrastructure Services
The University of Oklahoma HSC
voice: 405.271.2644 x50340
fax:    405.271.2181
Feedback?  Email comments to Chris Hodges<mailto:chris-hodges at ...15095...?subject=Heads%20up%20about%20Gibby>
CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111104/9f6b0735/attachment.html>

More information about the Snort-users mailing list