Snort mailing list archives
Re: Can I automatically include rules?
From: Jason <security () brvenik com>
Date: Tue, 06 Dec 2005 22:30:00 -0500
http://www.snort.org/docs/snort_htmanuals/htmanual_233/node18.html Look at activate and dynamic they might do what you want but otherwise you might have to handle it post process. oink () signalno9 org wrote:
Hello, I would like to include a rule when another is triggered, for example: If this rule is triggered: drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Clarian Agent"; flow: to_server,established; uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype: policy-violation; reference:url, www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306; rev:5;) I would like to also trigger this rule for n minutes/seconds: drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";) I've looked at the tagging option for rules but I need to drop them, not just log them. Any ideas? ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can I automatically include rules? oink (Dec 06)
- Re: Can I automatically include rules? Will Metcalf (Dec 06)
- Re: Can I automatically include rules? oink (Dec 06)
- Sticky-drop Patrick Walsh (Dec 07)
- Re: Sticky-drop G Ramon Gomez (Dec 07)
- Re: Sticky-drop Will Metcalf (Dec 07)
- Re: Sticky-drop Patrick Walsh (Dec 07)
- Message not available
- Re: Sticky-drop Patrick Walsh (Dec 07)
- Re: Sticky-drop Will Metcalf (Dec 07)
- Re: Sticky-drop Joel Esler (Dec 07)
- Re: Can I automatically include rules? Will Metcalf (Dec 06)