Re: Activates/Dynamic

[Martin Roesch <roesch () sourcefire com>]

Hi Sekure,

We haven't specifically disabled the activate/dynamic rules at this  
time, they should work.

I just did a quick test with these rules and it worked.  The dynamic  
rules don't actually generate an alert message that goes to the  
alerting facility, they just put a message on the logged data (if  
you're in text mode).

Here's the sample rules I ran and my command line:

activate tcp any any -> any any (content: "foo"; msg: "got foo";  
activates: 1;)
dynamic tcp any any -> any any (activated_by: 1; msg: "activated";  
count: 3;)

snort -c test.conf -l ./log -A console -d

Here's the output (logging in ASCII mode):

[**] got foo [**]
08/03-22:36:35.110800 10.1.47.32:23 -> 10.1.47.102:64724
TCP TTL:255 TOS:0x0 ID:32031 IpLen:20 DgmLen:107 DF
***AP*** Seq: 0xB08D365D  Ack: 0xCAF24BC4  Win: 0x2798  TcpLen: 32
TCP Options (3) => NOP NOP TS: 236012640 3100606937
66 6F 6F 3A 20 43 6F 6D 6D 61 6E 64 20 6E 6F 74  foo: Command not
20 66 6F 75 6E 64 2E 0D 0A 5B 78 65 72 78 65 73   found...[xerxes
20 2F 75 73 72 2F 68 6F 6D 65 2F 72 6F 65 73 63   /usr/home/roesc
68 5D 20 7B 32 7D 20                             h] {2}

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
=+

[**] activated [**]
08/03-22:36:35.308159 10.1.47.102:64724 -> 10.1.47.32:23
TCP TTL:64 TOS:0x10 ID:32178 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xCAF24BC4  Ack: 0xB08D3694  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3100606938 236012640

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
=+

[**] activated [**]
08/03-22:36:36.778901 10.1.47.102:64724 -> 10.1.47.32:23
TCP TTL:64 TOS:0x10 ID:32179 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0xCAF24BC4  Ack: 0xB08D3694  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3100606941 236012640
62                                               b

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
=+

[**] activated [**]
08/03-22:36:36.783351 10.1.47.32:23 -> 10.1.47.102:64724
TCP TTL:255 TOS:0x0 ID:32032 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0xB08D3694  Ack: 0xCAF24BC5  Win: 0x2798  TcpLen: 32
TCP Options (3) => NOP NOP TS: 236012807 3100606941
62                                               b


On Aug 3, 2004, at 1:53 PM, sekure wrote:

> Are Activate/Dynamic rules still supported in the more recent releases  
> of Snort?
>
> I have an interesting problem i am trying to solve, that I'd love to
> use Activate/Dynamic for.  However the documentation is telling me
> that the use of those options is being phased out in favor of tagging.
>
> I don't think i can do what i want to do with tagging, so I'd like to
> know if I can still use Activate/Dynamic in 2.2.0rc1.
>
> For the curious ones, here is what i am trying to achieve:
>
> Occasionally, during some really wierd hours, the CPU utilization on
> one of my routers spikes to 70% or higher.  I know it's because of a
> sudden spike in network traffic, but i don't know what the traffic is.
>  I send snmp queries to the router which responds with the cpu
> utilization.  I am using byte_test to check the value of the cpu
> utilization and I'd like to activate the dynamic portion if the
> utilization is above 40%. The dynamic rule would capture a million or
> so packets.
>
> I have a rule that if set to "alert" or even "activate", gets
> triggered upon seeing the correct packet.  However the "dynamic" part
> never does anything, so I am nowhere.
>
> activate udp router 161 -> host any (msg:"Utilization above 12%";
> activates:1; content:"|04 01 09 02 01 39 00 02 01|"; offset:36;
> depth:9; byte_test:1,>,0x0B,0,relative;)
>
> dynamic tcp any any -> any any (activated_by: 1; msg:"Activated";  
> count: 50;)
>
> I don't think i can do this with tagging because i am trying to
> capture ALL traffic, not just between the two hosts that generated the
> original event.
>
> Any ideas?
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source  
> Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users