Snort mailing list archives
rule variables
From: "katsumi liquer" <katsumi () gmail com>
Date: Fri, 6 Oct 2006 20:35:49 -0400
Hello everyone, I have some questions about writing Snort rules that I can't seem to find answers for. First is it possible to use the src ip address of a packet in the rule as a variable? Does snort expose any information about a packet to be used inside the rule? For example I want to make an 'activate/dynamic' rule that first checks for an incoming TCP connection to a certain port port, and then watches for a specific UDP packet from that same original SRC -- so, at the moment it looks like this: activate tcp $SERVERS any -> 10.1.1.34 3340 (activates: 1;) That part is just meant as a 'trigger' to make Snort watch for a secondary event which is the real meat: dynamic udp $SERVERS 90 -> any any (msg: "activated TRUE"; content: "|05a013f011e|"; content: "|00000a9|"; rawbytes; content: "superwolfgang.com"; classtype: unsuccessful-user; rev: 3; sid:1000902; activated_by: 1; count: 50;) I have two questions: first, should this rule even work? No matter how I do it, snort always reads this when it starts up: snort[8825]: WARNING: an activation rule with no dynamic rules matched! Since I only have one activate/dynamic rule, I guessing it is referring to the above. The only reason I can see it shouldn't work on paper is perhaps that the activate portion is TCP and the dynamic portion is UDP -- can you mix the two? Second, this rule is really only half accurate because the second part could potentially match traffic coming from any source -- is it possible to say "use the SRC ip which was intercepted in the 'activate' rule" ? ie, something like: dynamic udp $ACTIVATE_SRC 90 -> any any (msg: "activated TRUE"; content: "|05a013f011e|"; content: "|00000a9|"; rawbytes; content: "superwolfgang.com"; classtype: unsuccessful-user; rev: 3; sid:1000902; activated_by: 1; count: 50;) I know these are a lot of questions -- I am just trying to figure out the best way to make what seem to be 'compound' rules, but their is not much documentation about it. I greatly appreciate any information at all that anyone has. Thank you very much, katsu ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rule variables katsumi liquer (Oct 06)
- Re: rule variables Jason Brvenik (Oct 06)