Home page logo
/

snort logo Snort mailing list archives

Re: flowbits: file.wma
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 29 May 2013 11:20:46 -0400

On May 29, 2013, at 10:58 AM, waldo kitty <wkitty42 () windstream net> wrote:


there is no check rule in the *.rules files for flowbits: file.wma…

It's checked in an SO rule.


additionally:
  SID:15921 - should mention HTTP since that is the checked vector?
  SID:12972 - should clarify inbound to client?
  SID:23188 - should mention inbound via pop3/imap2 to client for clarity?

We have a standard naming convention for file-identify rules.  Since they are all set to "noalert", you'll never see 
the msg verbiage anyway in your alert console.

  SID:23189 - should mention outbound via SMTP to server for clarity?
  SID:23732 - should mention outbound via SMTP to server for clarity?


They aren't outbound, they are inbound, also, see above.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]