[Snort-users] New Rules Heads Up

Joel Esler jesler at ...1935...
Fri Nov 4 16:44:29 EDT 2011


Gregory,

Yes, we take care of this automatically in the product.

This new rule is in the new FILE-IDENTIFY rule category.  It's disabled by default.

The Sourcefire product and PulledPork will automatically enable it if you have any rules enabled that check the http.realplayer flowbit.

Please see my post on the VRT blog here:
http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html

Joel

On Nov 4, 2011, at 4:10 PM, Gregory Zill wrote:

> Sourcefire support sends out an SEU notice via e-mail. I pull/apply
> new the SEU automatically once per week to allow review. Also,
> Sourcefire enables variables automatically within the SEU application.
> 
> However, I am not finding the ID 20456 searching through Snort,
> Emerging or Sourcefire rule bases.
> 
> On Fri, Nov 4, 2011 at 2:39 PM,
> <snort-users-request at lists.sourceforge.net> wrote:
>> ------------------------------
>> 
>> Message: 6
>> Date: Fri, 4 Nov 2011 14:39:01 -0500
>> From: "Gibson, Nathan J. (HSC)" <Nathan-Gibson at ...15095...>
>> Subject: [Snort-users] New Rules Heads Up
>> To: "snort-users at lists.sourceforge.net"
>>        <snort-users at lists.sourceforge.net>
>> Message-ID:
>>        <B30DD99805FB504981E5411867CF4B9C27A97670FF at ...15096...>
>> Content-Type: text/plain; charset="us-ascii"
>> 
>> Hey all,
>> 
>> How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are added to the rule set.
>> 
>> 
>> For example it seems a variable "$FILE_DATA_PORTS" was introduced last night that bombed out my snort. Just wondering if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle of the night.
>> 
>> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;)
>> 
>> 
>> 
>> 
>> GIBBY
> 
> -- 
> Gregory W Zill
> 
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list