[Snort-users] New Rules Heads Up
james.lay at ...15009...
Fri Nov 4 17:11:29 EDT 2011
How does one go about staying informed about new Source Fire rules that add additional variables BEFORE they are added to the rule set.
For example it seems a variable "$FILE_DATA_PORTS" was introduced last night that bombed out my snort. Just wondering if there is a way I can get proactive on this. And turn them off in pulled pork BEFORE it kills my IDS in the middle of the night.
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Real Media file magic detection"; flow:to_client,established; file_data; content:".RMF"; within:4; fast_pattern; flowbits:set,http.realplayer,fileidentify; flowbits:noalert; classtype:misc-activity; sid:20456; rev:2;)
Not sure of your setup, but I can tell you that I have my rules downloaded about 10 minutes into my work day...so I can monitor my logs. Also, again, not sure of your setup, I've found a log monitor capable of emailing when...say the word FATAL is seen to send you an email. Nothing worse than the "ugh..my IDS hasn't been running since midnight" feeling when you come into work.
More information about the Snort-users