activate dynamic

["Slighter, Tim" <tslighter () itc nrcs usda gov>]

Had posted earlier asking about how to accomplish the following:

When SOCKS or PROXY scans take place, there are usually several hundred or
even thousands within a very short period of time.  I had asked if there was
a way to instruct or craft snort so that it would log the first SOCKS or
PROXY scan but then stop logging any subsequent scans of this type from the
same host. (Similar to ISS event propogation).  Someone mentioned using
activate/dynamic, however, from all that I have seen, Activate/Dynamic is
another variation of "tagging" and I have no interest in tagging any of
these sessions.  Have also experimented with ruleset, but this essentially
would allow me to specify a ruleset that would allow of this type of traffic
to "PASS".  So, the precise goal here is to instruct snort to log or alert
the first and ONLY the first PROXY/SOCKS scan from a host and then do not
log or alert on the rest.  Unless I am overlooking something, is there
anyway to accomplish this?

Thanks



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users