Snort mailing list archives

Re: Dynamic Rules

From: Chris Green <cmg () uab edu>
Date: 26 Jul 2001 15:51:54 -0500

"Jason Robertson" <jason () ifutureinc com> writes:

Is it possible to have the following
alert tcp any any -> server 80 (msg:"http scan"; ....other flags );
But to enable another rule, that is say for example unknown.host 
connects to server:80 and it would create the rule
log tcp unknown.host any -> server 80 (msg:"http scan packets"; timeout:"300";);


This can be done with the tag keyword in snort 1.8. ( Try snort cvs
for some fixes to it )

alert tcp any any -> server 80 (msg: "http scan"; tag: host, 300, \
                                      seconds;) 

You can also do it with activate and dynamic rules though these might
be deprecated in the future.  See the snort manual or the snort
webpage's writing snort rules for details on how to do this.

I personally use it as a way to find out what machines need to be
reported as vulnerable to exploits.
-- 
Chris Green <cmg () uab edu>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Acid 0.9.6bx Portscan problem bthaler (Jul 26)
- RE: Acid 0.9.6bx Portscan problem Stefan Dens (Jul 26)
  - Dynamic Rules Jason Robertson (Jul 26)
    - Re: Dynamic Rules Chris Green (Jul 26)
- <Possible follow-ups>
- RE: Acid 0.9.6bx Portscan problem roman (Jul 26)
  - ACID Graphing Frank Reid (Jul 26)