Home page logo

snort logo Snort mailing list archives

Re: flowbits: file.wma
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 29 May 2013 11:20:46 -0400

On May 29, 2013, at 10:58 AM, waldo kitty <wkitty42 () windstream net> wrote:

there is no check rule in the *.rules files for flowbits: file.wma…

It's checked in an SO rule.

  SID:15921 - should mention HTTP since that is the checked vector?
  SID:12972 - should clarify inbound to client?
  SID:23188 - should mention inbound via pop3/imap2 to client for clarity?

We have a standard naming convention for file-identify rules.  Since they are all set to "noalert", you'll never see 
the msg verbiage anyway in your alert console.

  SID:23189 - should mention outbound via SMTP to server for clarity?
  SID:23732 - should mention outbound via SMTP to server for clarity?

They aren't outbound, they are inbound, also, see above.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]