Re: problems with snort rules

[Valerius Travasso <valeriustravasso () gmail com>]

I changed it so that it refers to each other but still getting

WARNING: an activation rule with no dynamic rules matched.

when i run in console mode the activate rule is giving the output
message but the dynamic rule dose not seem to work

dont know what is wrong
activate tcp ***.***.***.*** any <> any any (content:"www.******.com";
msg:"somebody is accessing www.******.com"; activates:0000003;
sid:0000002;)
dynamic tcp ***.***.***.*** any <> any any (msg:"action was activated
as ****** was accessed"; activated_by:0000002; count:5; sid:0000003;)


On 9/3/15, waldo kitty <wkitty42 () windstream net> wrote:
> On 09/03/2015 01:33 AM, Valerius Travasso wrote:
> > OK so first problem
> > 1)
> > activate tcp ***.***.***.*** any <> any any (content:"www.******.com";
> > msg:"somebody is accessing www.******.com"; activates:1212;
> > sid:0000002;)
> > dynamic tcp ***.***.***.*** any <> any any (msg:"action was activated
> > as ****** was accessed"; activated_by:1212; count:5; sid:0000003;)
> > when i ruh this rule with sudo snort -A console -c
> > /etc/snort/snort.conf -i eth0 the activate part works fine but the
> > dynamic rule part shows following warning
> > WARNING: an activation rule with no dynamic rules matched.
>
> the documentation isn't very clear but it looks to me like your
> "activates:1212"
> and "activated_by:1212" are wrong... the dynamic one is SID 0000003 and the
>
> active one is SID 0000002... so they should reference each other...
>
> eg: activates:0000003
>      activated_by:0000002
>
> there is also a note activate and dynamic rules being phased out in favor of
>
> using a combination of tagging and flowbits...
>
>      http://manual.snort.org/node299.html
>
> > 2)
> > i m having some problem with log i want to log specific packets only
> > in the directory var/log/snort i get the log file of the entire run
> > alert icmp ***.***.***.*** any -> ***.***.***.*** any (msg:"GOT PING
> > BY PC 8"; sid:0000006;)
> > also nothing in the log folder in etc/snort/log
> > did not get anything with logto
> > i know we cant use logto when snort is in binary mode have barnyard
> > installed does it affects logto option
>
> i don't have any ideas about this, though... our logs are written to
> /var/log/snort which is set as the default logging directory in snort.h...
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         *Please keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------
> Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> Get real-time metrics from all of your servers, apps and tools
> in one place.
> SourceForge users - Click here to start your Free Trial of Datadog now!
> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!