Snort mailing list archives
Dynamic Rules
From: "Jason Robertson" <jason () ifutureinc com>
Date: Thu, 26 Jul 2001 16:03:27 -0400
Is it possible to have the following alert tcp any any -> server 80 (msg:"http scan"; ....other flags ); But to enable another rule, that is say for example unknown.host connects to server:80 and it would create the rule log tcp unknown.host any -> server 80 (msg:"http scan packets"; timeout:"300";); This could be useful for things after the primary alert to grab the rest of the session data from this host. It can be useful for example to see if someone is say scanning an MTU size, or bandwidth, and such, but also it would be useful to build a complete complement of data, of what a user might be doing, that is not being alerted too. --- Jason Robertson Network Analyst jason () ifutureinc com http://www.astroadvice.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Acid 0.9.6bx Portscan problem bthaler (Jul 26)
- RE: Acid 0.9.6bx Portscan problem Stefan Dens (Jul 26)
- Dynamic Rules Jason Robertson (Jul 26)
- Re: Dynamic Rules Chris Green (Jul 26)
- Dynamic Rules Jason Robertson (Jul 26)
- <Possible follow-ups>
- RE: Acid 0.9.6bx Portscan problem roman (Jul 26)
- ACID Graphing Frank Reid (Jul 26)
- RE: Acid 0.9.6bx Portscan problem Stefan Dens (Jul 26)