Snort mailing list archives

Dynamic Rules

From: "Jason Robertson" <jason () ifutureinc com>
Date: Thu, 26 Jul 2001 16:03:27 -0400


Is it possible to have the following
alert tcp any any -> server 80 (msg:"http scan"; ....other flags );
But to enable another rule, that is say for example unknown.host 
connects to server:80 and it would create the rule
log tcp unknown.host any -> server 80 (msg:"http scan packets"; timeout:"300";);
This could be useful for things after the primary alert to grab the rest of the 
session data from this host.  It can be useful for example to see if someone is
say scanning an MTU size, or bandwidth, and such, but also it would be useful
to build a complete complement of data, of what a user might be doing, that is
not being alerted too.

---
Jason Robertson                
Network Analyst            
jason () ifutureinc com    
http://www.astroadvice.com      

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Acid 0.9.6bx Portscan problem bthaler (Jul 26)
- RE: Acid 0.9.6bx Portscan problem Stefan Dens (Jul 26)
  - Dynamic Rules Jason Robertson (Jul 26)
    - Re: Dynamic Rules Chris Green (Jul 26)
- <Possible follow-ups>
- RE: Acid 0.9.6bx Portscan problem roman (Jul 26)
  - ACID Graphing Frank Reid (Jul 26)