Snort mailing list archives

Re: (no subject)

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Thu, 3 Mar 2011 17:49:36 -0700

Makes perfect sense, and what I've done to address the issue you raised at the end of your email, is keep the 
flowbits:set rule enabled, but create a suppress statement for it.

PS. And I'm excited to see the new features!

-----Original Message-----
From: JJC [mailto:cummingsj () gmail com] 
Sent: Thursday, March 03, 2011 4:44 PM
To: Jefferson, Shawn
Cc: Jason Wallace; wkitty42 () windstream net; snort-users () lists sourceforge net
Subject: Re: [Snort-users] (no subject)

To address this, the logic behind PP does just what Jason had said...
if you have rules that are looking for flowbits:isset values, it enables the respective, and required, flowbits:set 
values.

Further, if you have specified a flowbits:set rule to be explicitly disabled in the disablesid.conf section and PP 
needs to automatically re-enable that due to it being a dependency of other rules, it will do so.. and Shawn, to 
address your concern.. that was a feature request that has been added to the current version that can be found in the 
svn repo.  I anticipate having a release out soon, it contains numerous bug-fixes and feature enhancements.. I'm just 
waiting on some code commits to complete.

Consider this logic re: flowbit auto re-enabling:

I have 3 critical rules that look for current 0-day type traffic..
they all contain flowbits:isset,this.foo; and you disabled the rule that contains flowbits:set,this.foo; because it was 
generating an event like "POLICY this schmuck downloaded tha foo!" and you did not want to see that.  By disabling, and 
subsequently not re-enabling the rule containing flowbits:set,this.foo; you would be silently disabling the other 3 
critical rules that relied on that flowbit, make sense?

JJC

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) sasa susmanto (Mar 01)
- Re: (no subject) Joel Esler (Mar 01)
  - Re: (no subject) Alan Ptak (Mar 02)
    - Re: (no subject) waldo kitty (Mar 02)
    - Re: (no subject) Jason Wallace (Mar 03)
    - Re: (no subject) Jefferson, Shawn (Mar 03)
    - Re: (no subject) JJC (Mar 03)
    - Re: (no subject) Jefferson, Shawn (Mar 03)
    - Re: (no subject) Dave Venman (Mar 03)
    - Re: (no subject) Joel Esler (Mar 04)
- Re: (no subject) JJC (Mar 01)
- <Possible follow-ups>
- (no subject) sasa susmanto (Mar 02)
  - Re: (no subject) Alan Ptak (Mar 02)