Activate and dynamic rules

[Nicolas Matovelle Trigo <nicolas.matovelle () tarlogic com>]

Hi, I've just started using snort and I can't get it working.

I've installed it in a CentOS 7.2 virtual machine and configured it to act
as gateway for other network and it works. At the first moment I set only
the following rule:

"alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP response";
sid:123)"

And I could saw the responses on the alert file.

But now I'm trying to use a dynamic rule like the following:

activate tcp $HOME_NET any -> $EXTERNAL_NET 1024 (msg:"Activating";
sid:100; activates:1;)
dynamic tcp any any <> any any (msg:"Dynamic not activated"; sid:101;
activated_by:1; count: 10000;)

The actual behavior is that snort alerts the "Activating" rule, but I never
see the "Dynamic not activated" message. The only thing not common in my
configuration is that I commented out the line "dynamicdetection directory
/usr/local/lib/snort_dynamicrules" from the snort.conf as I don't have such
directory and snort failed to start with that line.

Thanks in advance for your attention,
Nico.

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!