Snort mailing list archives
Re: problems with snort rules
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 9 Sep 2015 10:56:50 +0000
You should use flowbits. Not activate and dynamic. -- Joel Esler Manager, Threat Intelligence and Open Source Talos Group Sent from my iPhone On Sep 9, 2015, at 1:41 AM, Valerius Travasso <valeriustravasso () gmail com<mailto:valeriustravasso () gmail com>> wrote: I changed it so that it refers to each other but still getting WARNING: an activation rule with no dynamic rules matched. when i run in console mode the activate rule is giving the output message but the dynamic rule dose not seem to work dont know what is wrong activate tcp ***.***.***.*** any <> any any (content:"www.******.com"; msg:"somebody is accessing www.******.com"; activates:0000003; sid:0000002;) dynamic tcp ***.***.***.*** any <> any any (msg:"action was activated as ****** was accessed"; activated_by:0000002; count:5; sid:0000003;) On 9/3/15, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote: On 09/03/2015 01:33 AM, Valerius Travasso wrote: OK so first problem 1) activate tcp ***.***.***.*** any <> any any (content:"www.******.com"; msg:"somebody is accessing www.******.com"; activates:1212; sid:0000002;) dynamic tcp ***.***.***.*** any <> any any (msg:"action was activated as ****** was accessed"; activated_by:1212; count:5; sid:0000003;) when i ruh this rule with sudo snort -A console -c /etc/snort/snort.conf -i eth0 the activate part works fine but the dynamic rule part shows following warning WARNING: an activation rule with no dynamic rules matched. the documentation isn't very clear but it looks to me like your "activates:1212" and "activated_by:1212" are wrong... the dynamic one is SID 0000003 and the active one is SID 0000002... so they should reference each other... eg: activates:0000003 activated_by:0000002 there is also a note activate and dynamic rules being phased out in favor of using a combination of tagging and flowbits... http://manual.snort.org/node299.html 2) i m having some problem with log i want to log specific packets only in the directory var/log/snort i get the log file of the entire run alert icmp ***.***.***.*** any -> ***.***.***.*** any (msg:"GOT PING BY PC 8"; sid:0000006;) also nothing in the log folder in etc/snort/log did not get anything with logto i know we cant use logto when snort is in binary mode have barnyard installed does it affects logto option i don't have any ideas about this, though... our logs are written to /var/log/snort which is set as the default logging directory in snort.h... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- problems with snort rules Valerius Travasso (Sep 02)
- Re: problems with snort rules waldo kitty (Sep 03)
- Re: problems with snort rules Valerius Travasso (Sep 08)
- Re: problems with snort rules Joel Esler (jesler) (Sep 09)
- Re: problems with snort rules Valerius Travasso (Sep 08)
- Re: problems with snort rules waldo kitty (Sep 03)