Snort mailing list archives
Using generalised rules to activate bulk rules
From: "Sean Wheeler" <s.wheeler () netprotect ch>
Date: Wed, 23 Oct 2002 19:13:55 +0200
Hi, I have been fondling with the idea of setting a generalised rule looking for http based traffic, once it is triggered then it activates the relevant sybset of rules. for example activate tcp any any -> any http (activates:1) then it calls dynamic any any -> any any (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3; activated_by:1) next 50 odd rules applicable to activation rule 1 here ... .... ...... next activation rule () next set of dynamic rules () etc..etc.. Problem is that the activate rule as it is presently designed will create an alert which is not desired ( every http packet will get logged) It would be kinda a hybrid of pass & activate would do the trick. The concept is a little different from tagging as my understanding has it, as I don't want to log more packets, just activate certain rules when a activation rule is triggerd I idea basically is that for the 1700+ rules you can use ~30 activation/pass hybrid which would call the rest of the rules. So in effect you would only have ~30 rules which snort has to burn through for each and every packet, and on the off chance that an activation hybrid is triggered the 100+ rules relevant to that activation rule are processed. No doubt this has probably come up before, but I seem to have missed the thread. Any thoughts on the subject or am I beating a dead horse ? regards Sean ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Swatch + Snort: SMTP HELO overflow attempt jo cam (Oct 23)
- Using generalised rules to activate bulk rules Sean Wheeler (Oct 23)