[Snort-users] New Rules Heads Up

Joel Esler jesler at ...1935...
Fri Nov 4 16:26:59 EDT 2011


As a followup -- you'll want to add that variable into the snort.conf.  As you NEED (and pulledpork will auto-enable) the FILE-IDENTIFY rules it needs.

As an additional followup -- If you are using oinkmaster, you'll have to manually resolve these, or switch to pulledpork.

J

On Nov 4, 2011, at 3:39 PM, Gibson, Nathan J. (HSC) wrote:

> Hey all,
>  
> How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are added to the rule set.
>  
>  
> For example it seems a variable “$FILE_DATA_PORTS” was introduced last night that bombed out my snort. Just wondering if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle of the night.
>  
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;)
>  
>  
>  
>  
> GIBBY
> _____________________________
> Nathan J. Gibson, MsIA, CISSP, CISM,CCNA, MCSA
> IT Architect
> Infrastructure Services
> The University of Oklahoma HSC
> voice: 405.271.2644 x50340
> fax:    405.271.2181
> Feedback?  Email comments to Chris Hodges
> --------------------------
> CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
>  
>  
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111104/646e3e34/attachment.html>


More information about the Snort-users mailing list