Snort mailing list archives
Re: problems with snort rules
From: Valerius Travasso <valeriustravasso () gmail com>
Date: Wed, 9 Sep 2015 11:08:39 +0530
I changed it so that it refers to each other but still getting WARNING: an activation rule with no dynamic rules matched. when i run in console mode the activate rule is giving the output message but the dynamic rule dose not seem to work dont know what is wrong activate tcp ***.***.***.*** any <> any any (content:"www.******.com"; msg:"somebody is accessing www.******.com"; activates:0000003; sid:0000002;) dynamic tcp ***.***.***.*** any <> any any (msg:"action was activated as ****** was accessed"; activated_by:0000002; count:5; sid:0000003;) On 9/3/15, waldo kitty <wkitty42 () windstream net> wrote:
On 09/03/2015 01:33 AM, Valerius Travasso wrote:OK so first problem 1) activate tcp ***.***.***.*** any <> any any (content:"www.******.com"; msg:"somebody is accessing www.******.com"; activates:1212; sid:0000002;) dynamic tcp ***.***.***.*** any <> any any (msg:"action was activated as ****** was accessed"; activated_by:1212; count:5; sid:0000003;) when i ruh this rule with sudo snort -A console -c /etc/snort/snort.conf -i eth0 the activate part works fine but the dynamic rule part shows following warning WARNING: an activation rule with no dynamic rules matched.the documentation isn't very clear but it looks to me like your "activates:1212" and "activated_by:1212" are wrong... the dynamic one is SID 0000003 and the active one is SID 0000002... so they should reference each other... eg: activates:0000003 activated_by:0000002 there is also a note activate and dynamic rules being phased out in favor of using a combination of tagging and flowbits... http://manual.snort.org/node299.html2) i m having some problem with log i want to log specific packets only in the directory var/log/snort i get the log file of the entire run alert icmp ***.***.***.*** any -> ***.***.***.*** any (msg:"GOT PING BY PC 8"; sid:0000006;) also nothing in the log folder in etc/snort/log did not get anything with logto i know we cant use logto when snort is in binary mode have barnyard installed does it affects logto optioni don't have any ideas about this, though... our logs are written to /var/log/snort which is set as the default logging directory in snort.h... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- problems with snort rules Valerius Travasso (Sep 02)
- Re: problems with snort rules waldo kitty (Sep 03)
- Re: problems with snort rules Valerius Travasso (Sep 08)
- Re: problems with snort rules Joel Esler (jesler) (Sep 09)
- Re: problems with snort rules Valerius Travasso (Sep 08)
- Re: problems with snort rules waldo kitty (Sep 03)