Snort mailing list archives
Re: File-identify category
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 5 Jan 2012 12:07:10 -0500
On Jan 5, 2012, at 11:54 AM, Peter Bates wrote:
Hello all... Okay, so I've read http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html At the moment in the ruleset there are 235 rules, of which 159 seem to be enabled.
Eventually I'd like to get to the point where most of these are disabled and we rely on a PulledPork (or the Sourcefire product) to enable the rules that are needed. People are still using other tools that don't support flowbit resolution though.
I understand the purpose is to identify certain filetypes and then set a flowbit on them which is being used in other rulesets (exploit.rules, web-client.rules).
Correct.
25 of the rules have 'noalert' set - I'm not particularly interested in the actual download itself and I'm now seeing that SIDs 18758 FILE-IDENTIFY Microsoft Windows Visual Basic script file download request 18983 FILE-IDENTIFY Apple Mach-O executable file magic detection 15306 FILE-IDENTIFY Portable Executable binary file magic detection
The rules in that category that are NOT set to noalert mean that we are giving users the option to drop that type of file from entering the network totally. Say, if you want to disallow someone downloading an executable, you can set the rule to drop. If you are not running inline, and you don't want to observe these downloads, just suppress them. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- File-identify category Peter Bates (Jan 05)
- Re: File-identify category Joel Esler (Jan 05)