Snort mailing list archives
Re: Dynamic Rules
From: Chris Green <cmg () uab edu>
Date: 26 Jul 2001 15:51:54 -0500
"Jason Robertson" <jason () ifutureinc com> writes:
Is it possible to have the following alert tcp any any -> server 80 (msg:"http scan"; ....other flags ); But to enable another rule, that is say for example unknown.host connects to server:80 and it would create the rule log tcp unknown.host any -> server 80 (msg:"http scan packets"; timeout:"300";);
This can be done with the tag keyword in snort 1.8. ( Try snort cvs for some fixes to it ) alert tcp any any -> server 80 (msg: "http scan"; tag: host, 300, \ seconds;) You can also do it with activate and dynamic rules though these might be deprecated in the future. See the snort manual or the snort webpage's writing snort rules for details on how to do this. I personally use it as a way to find out what machines need to be reported as vulnerable to exploits. -- Chris Green <cmg () uab edu> "Not everyone holds these truths to be self-evident, so we've worked up a proof of them as Appendix A." -- Paul Prescod _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Acid 0.9.6bx Portscan problem bthaler (Jul 26)
- RE: Acid 0.9.6bx Portscan problem Stefan Dens (Jul 26)
- Dynamic Rules Jason Robertson (Jul 26)
- Re: Dynamic Rules Chris Green (Jul 26)
- Dynamic Rules Jason Robertson (Jul 26)
- <Possible follow-ups>
- RE: Acid 0.9.6bx Portscan problem roman (Jul 26)
- ACID Graphing Frank Reid (Jul 26)
- RE: Acid 0.9.6bx Portscan problem Stefan Dens (Jul 26)