Snort mailing list archives
Re: Linking Snort Rules
From: Mike Smith <yellowmikeroad () gmail com>
Date: Thu, 25 Aug 2016 19:28:54 +0100
So looking at Activate and Dynamic, the Dynamic rule header looks to just be used as an logging action rather than activating a whole new rule. I want Rule B to alert on when UDP port 69 (TFTP) traffic occurs but ONLY if Rule A (SNMP) fires beforehand. I cannot create a rule just for TFTP traffic as the amount of FP's would be too high. Thanks, Mike On Thu, Aug 25, 2016 at 6:32 PM, Mike Smith <yellowmikeroad () gmail com> wrote:
Excellent, i'll learn to use Activate and Dynamic then. Thanks a lot for your time, Mike On Thu, Aug 25, 2016 at 6:20 PM, Al Lewis (allewi) <allewi () cisco com> wrote:"Activate and Dynamic rules are being phased out in favor of a combination of tagging and flowbits)." You can use either. Both will probably do what you are looking for and the learning curve is nothing major. *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com From: Mike Smith <yellowmikeroad () gmail com> Date: Thursday, August 25, 2016 at 1:12 PM To: allewi <allewi () cisco com> Subject: Re: [Snort-sigs] Linking Snort Rules Al, Thanks for your time in getting back to me. I did quickly glance over it, however I read that it was being phased out, so in turn decided that it was best to invest time into learning a technique that wasn't going anywhere soon. In your experience is this actually perhaps the best route to go down? Regards, Mike On Thu, Aug 25, 2016 at 5:55 PM, Al Lewis (allewi) <allewi () cisco com> wrote:Hello, Have you tired using “activate” or “tagging”? http://manual-snort-org.s3-website-us-east-1.amazonaws.com/n ode29.html#SECTION00426000000000000000 *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com From: Mike Smith <yellowmikeroad () gmail com> Date: Thursday, August 25, 2016 at 12:37 PM To: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge netSubject: [Snort-sigs] Linking Snort Rules Good Morning All, Im hoping someone can help me. I have some traffic that I am attempting to signature up but am encountering some difficulties. First Ill briefly explain the traffic. Device A receives an SNMP request to update its firmware, it then connects back via TFTP to download the firmware file. Now, I have a signature that detects the SNMP traffic fine (the MIB etc), and I now want to detect the TFTP traffic following this, but I ONLY want this FTP rule to be activated if the first rule (the SNMP rule) fires. Obviously I cannot use Flowbits, and by trawling the other rules and manual I can't really see anything that I believe would fit this criteria. Any advice is appreciated, Mike
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Linking Snort Rules Mike Smith (Aug 25)
- Re: Linking Snort Rules Al Lewis (allewi) (Aug 25)
- Re: Linking Snort Rules Mike Smith (Aug 25)
- Message not available
- Message not available
- Re: Linking Snort Rules Mike Smith (Aug 25)
- Re: Linking Snort Rules Mike Smith (Aug 25)
- Re: Linking Snort Rules Al Lewis (allewi) (Aug 25)