Friday, December 9, 2011

The argument 'mime' to 'file_data' rule option is deprecated.

TL;DR:   This hurts nothing.  Ignore it.  Read the below to learn why it's there.

A lot of people have been seeing this warning, Googling it, asking about it, and wondering what it means when it's displayed on Snort startup.

Prior to Snort version 2.9.1, we had the operator "mime" added to the "file_data" keyword to have it properly set the pointer for mime attachments in an email.  However, when Snort version 2.9.1 was released, we added the "mime" operator into the file_data keyword itself.  This makes it simpler for the rule author to be able to write one rule, and Snort will correctly set the pointer for http, smtp, ftp, smb, pop3, and imap protocols.

We will still include this keyword within the official Snort ruleset distributed by the VRT so long as we distribute rulesets for Snort version 2.9.0.5.  If you are using Snort >=2.9.1, you can safely ignore this warning.  After the EOL for Snort 2.9.0.5 has been reached (90 days after the release of Snort 2.9.2), we'll remove the mime operator from the ruleset, and this warning will go away.