Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Sticky-drop

From: Patrick Walsh <pwalsh () esoft com>
Date: Wed, 07 Dec 2005 08:32:30 -0700
        What's this?  Sticky-drop?  Can someone provide a link to more
information?  Google searches have not been fruitful.  I'm using snort
2.4.3 and a grep of the source tree for "sticky" came back with nothing.
Is there a patch?

        Also, are there any known bugs with connection resets?  I think the
reset packets may not be getting sent to both ends of the connection or
else might not have the proper source port set.

        Finally, there's a bug filed on Sourceforge that says that "After a lot
of tries, a packet can pass through snort-inline" [1].  Is this a
confirmed issue.  I've seen some behavior that suggests it could be
true, but I haven't tracked it down yet.

Thanks,

..Patrick

1. http://sourceforge.net/tracker/index.php?func=detail&aid=876404&group_id=78497&atid=553467



On Tue, 2005-12-06 at 11:19 -0600, Will Metcalf wrote:

sticky-drop in snort-inline can do this.  You could probably
accomplish the same thing with Snortsam In InlineMode(); but I haven't
tried it.

Regards,

Will

On 12/6/05, oink () signalno9 org <oink () signalno9 org> wrote:

Hello,

I would like to include a rule when another is triggered, for example:

If this rule is triggered:
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE
Malware Gator/Clarian Agent"; flow: to_server,established;
uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype:
policy-violation; reference:url,
www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306;
rev:5;)

I would like to also trigger this rule for n minutes/seconds:
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)

I've looked at the tagging option for rules but I need to drop them, not
just log them.

Any ideas?



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Patrick Walsh
eSoft Incorporated
303.444.1600 x3350
http://www.esoft.com/

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: