Snort mailing list archives

Re: host-specificity in dynamic rules?

From: Chris Green <cmg () uab edu>
Date: Tue, 08 Jan 2002 13:25:08 -0600

Glenn Forbes Fleming Larratt <glratt () is rice edu> writes:

1. Is there a way for an activate/dynamic rule pair to zero in on the
specific hosts detected by the activate rule? i.e., if I were to
write:


activate tcp !$HOME_NET any -> $HOME_NET 23 (flags:S+; activates:1; \
   msg:"Telnet SYN";)
dynamic TCP !$HOME_NET any -> $HOME_NET 23 (activated_by:1;
count:10;)


use tagging

alert tcp !$HOME_NET any -> $HOME_NET 23 (flags:S+; msg:"Telnet SYN";\
                                          tag: host, 10, seconds;)

to get the binary logs


2. More generally, is there further documentation available on
activate/dynamic pairs? Nothing in the FAQ, and the example in the
USAGE file is very generic.


It's original purpose was replaced with tags.   Tags will be fleshed
out more in the future ( 2.0 era )
-- 
Chris Green <cmg () uab edu>
This is my signature. There are many like it but this one is mine.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

host-specificity in dynamic rules? Glenn Forbes Fleming Larratt (Jan 08)
- Re: host-specificity in dynamic rules? Chris Green (Jan 08)