Re: activate dynamic

[Erek Adams <erek () snort org>]

On Mon, 21 Jul 2003, Slighter, Tim wrote:

> When SOCKS or PROXY scans take place, there are usually several hundred or
> even thousands within a very short period of time.  I had asked if there was
> a way to instruct or craft snort so that it would log the first SOCKS or
> PROXY scan but then stop logging any subsequent scans of this type from the
> same host. (Similar to ISS event propogation).  Someone mentioned using
> activate/dynamic, however, from all that I have seen, Activate/Dynamic is
> another variation of "tagging" and I have no interest in tagging any of
> these sessions.  Have also experimented with ruleset, but this essentially
> would allow me to specify a ruleset that would allow of this type of traffic
> to "PASS".  So, the precise goal here is to instruct snort to log or alert
> the first and ONLY the first PROXY/SOCKS scan from a host and then do not
> log or alert on the rest.  Unless I am overlooking something, is there
> anyway to accomplish this?

If you're asking what I think you are--No.

You want something that 'counts' the times a rule is fired and then alerts
based on a threshold?

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users