A lot of people have been seeing this warning, Googling it, asking about it, and wondering what it means when it's displayed on Snort startup.
Prior to Snort version 2.9.1, we had the operator "
mime" added to the "
file_data" keyword to have it properly set the pointer for mime attachments in an email. However, when Snort version 2.9.1 was released, we added the "
mime" operator into the
file_datakeyword itself. This makes it simpler for the rule author to be able to write one rule, and Snort will correctly set the pointer for http, smtp, ftp, smb, pop3, and imap protocols.
We will still include this keyword within the official Snort ruleset distributed by the VRT so long as we distribute rulesets for Snort version 220.127.116.11. If you are using Snort >=2.9.1, you can safely ignore this warning. After the EOL for Snort 18.104.22.168 has been reached (90 days after the release of Snort 2.9.2), we'll remove the
mimeoperator from the ruleset, and this warning will go away.