Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: activate/dynamic rules problem

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 12 Jan 2015 14:53:58 +0000


On Jan 11, 2015, at 8:21 AM, Mark Greenman <mark.greenman.014 () gmail com> wrote:

Hi. Do you know the reason for this warning after using activate/dynamic rules:

WARNING: an activation rule with no dynamic rules matched.

The set of rules that I have used in the experiment are:

activate tcp 192.168.5.32 80 -> 192.168.4.22 50444 (msg:"adc!"; content:"Tree"; activates:1; sid:1000001;)
dynamic tcp 192.168.5.32 80 -> 192.168.4.22 50444 (msg:"dyn!"; activated_by:1; count:3; sid:1000002;)



Are you sure “flowbits” aren’t a better option for what you are trying to do?

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

Attachment: smime.p7s
Description: 

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
vanity: www.gigenet.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: