Snort mailing list archives
Re: Rule Chaining
From: Brian <bmc () snort org>
Date: Fri, 25 Feb 2005 14:08:45 -0500
On Thu, Feb 24, 2005 at 09:25:35PM -0800, Madhur Nagar wrote:
1. Rule Chaining - one rule calling another
FYI, most uses of activate/dynamic should be replaced with flowbits. Sure flowbits only works on a single flow, but it works oh so much better than activate/dynamic rules.
2. Stateful Checking - Checking for a content in say 10 packets and only if the content of all the 10 matches then take some action
Sure, thresholding can do this.
3. Remote Rule Updation
Sounds like you need snort-perl 1.0 :P. Remote rule installation was one of the primary features I added in my latest iteration of snort + perl. http://www.shmoo.com/~bmc/software/snort-perl/ Brian ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule Chaining Madhur Nagar (Feb 24)
- Re: Rule Chaining Matt Kettler (Feb 25)
- Re: Rule Chaining Esler, Joel CNTR/Sytex (Feb 25)
- Re: Rule Chaining Matt Kettler (Feb 25)
- Re: Rule Chaining Esler, Joel CNTR/Sytex (Feb 25)
- Re: Rule Chaining Brian (Feb 25)
- Re: Rule Chaining Matt Kettler (Feb 25)