[Snort-users] New Rules Heads Up

Joel Esler jesler at ...1935...
Fri Nov 4 16:09:29 EDT 2011


Http://blog.snort.org

I post EVERYTHING there.

I also posted this change to the list.  Before the ruleset went out.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Nov 4, 2011, at 3:39 PM, Gibson, Nathan J. (HSC) wrote:

> Hey all,
>  
> How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are added to the rule set.
>  
>  
> For example it seems a variable “$FILE_DATA_PORTS” was introduced last night that bombed out my snort. Just wondering if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle of the night.
>  
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;)
>  
>  
>  
>  
> GIBBY
> _____________________________
> Nathan J. Gibson, MsIA, CISSP, CISM,CCNA, MCSA
> IT Architect
> Infrastructure Services
> The University of Oklahoma HSC
> voice: 405.271.2644 x50340
> fax:    405.271.2181
> Feedback?  Email comments to Chris Hodges
> --------------------------
> CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
>  
>  
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111104/4240444b/attachment.html>


More information about the Snort-users mailing list