Snort mailing list archives

Previous By Date Next
Previous By Thread Next

File-identify category

From: Peter Bates <peter.bates () ucl ac uk>
Date: Thu, 5 Jan 2012 16:54:38 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all...

Okay, so I've read
http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html

At the moment in the ruleset there are 235 rules, of which 159 seem to
be enabled.

I understand the purpose is to identify certain filetypes and then set
a flowbit on them which is being used in other rulesets
(exploit.rules, web-client.rules).

25 of the rules have 'noalert' set - I'm not particularly interested
in the actual download itself and I'm now seeing that SIDs

  18758 FILE-IDENTIFY Microsoft Windows Visual Basic script file
download request
    18983 FILE-IDENTIFY Apple Mach-O executable file magic detection
    15306 FILE-IDENTIFY Portable Executable binary file magic detection

are scoring pretty high in my alert logs.

Should I just be suppressing these unwanted alerts or is the intention
to add 'noalert' to more of the rules - or is the plan to have these
rules to use in logging *all* downloads of a particular type?

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPBdXOAAoJELhVoVpEMS6RCngH+QEs6LSrCMOioAQBvDBeoPc1
BFaJWnJd82l5PgRASFyKE46ONeXwrqSVy215SM8PevCW4cbT9LZ6Z9gSuHdHE/BB
kdHhEAHacnnGx06I2bXc/Gh0kpYLKD0UCXLnhuC/rymeMxm8H+c16GmmIeBgNgtl
CqArx2DYB/dV6hNGnxxTzZAPDlKjWpGrfVvWjVEPwYHD7GWt5girExVzY8bBUq3K
LjKC0WCtBoQgB1PMS1fiNYIv5yZ54q1b19Fm8LR7X5EV5P4DYCQBPeZVuUeEKb1J
B3kArPwYY8wr5LQ4ennES0PpNWObYsvF/vjDgcw6o9wbcg78d37CMUHJvvO/YxU=
=RUVl
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: