Snort mailing list archives
Re: Can I automatically include rules?
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 6 Dec 2005 11:19:56 -0600
sticky-drop in snort-inline can do this. You could probably accomplish the same thing with Snortsam In InlineMode(); but I haven't tried it. Regards, Will On 12/6/05, oink () signalno9 org <oink () signalno9 org> wrote:
Hello, I would like to include a rule when another is triggered, for example: If this rule is triggered: drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Clarian Agent"; flow: to_server,established; uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype: policy-violation; reference:url, www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306; rev:5;) I would like to also trigger this rule for n minutes/seconds: drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";) I've looked at the tagging option for rules but I need to drop them, not just log them. Any ideas? ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can I automatically include rules? oink (Dec 06)
- Re: Can I automatically include rules? Will Metcalf (Dec 06)
- Re: Can I automatically include rules? oink (Dec 06)
- Sticky-drop Patrick Walsh (Dec 07)
- Re: Sticky-drop G Ramon Gomez (Dec 07)
- Re: Sticky-drop Will Metcalf (Dec 07)
- Re: Sticky-drop Patrick Walsh (Dec 07)
- Message not available
- Re: Sticky-drop Patrick Walsh (Dec 07)
- Re: Sticky-drop Will Metcalf (Dec 07)
- Re: Sticky-drop Joel Esler (Dec 07)
- Re: Can I automatically include rules? Will Metcalf (Dec 06)