Snort mailing list archives
Re: activate/dynamic rules problem
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 12 Jan 2015 14:53:58 +0000
On Jan 11, 2015, at 8:21 AM, Mark Greenman <mark.greenman.014 () gmail com> wrote: Hi. Do you know the reason for this warning after using activate/dynamic rules: WARNING: an activation rule with no dynamic rules matched. The set of rules that I have used in the experiment are: activate tcp 192.168.5.32 80 -> 192.168.4.22 50444 (msg:"adc!"; content:"Tree"; activates:1; sid:1000001;) dynamic tcp 192.168.5.32 80 -> 192.168.4.22 50444 (msg:"dyn!"; activated_by:1; count:3; sid:1000002;)
Are you sure “flowbits” aren’t a better option for what you are trying to do? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. vanity: www.gigenet.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- activate/dynamic rules problem Mark Greenman (Jan 11)
- Re: activate/dynamic rules problem Joel Esler (jesler) (Jan 12)