Snort mailing list archives
Re: Activate and dynamic rules
From: wkitty42 () windstream net
Date: Thu, 26 May 2016 10:11:04 -0400
On 05/26/2016 07:56 AM, Nicolas Matovelle Trigo wrote:
Hi, I've just started using snort and I can't get it working. I've installed it in a CentOS 7.2 virtual machine and configured it to act as gateway for other network and it works. At the first moment I set only the following rule: "alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP response"; sid:123)" And I could saw the responses on the alert file. But now I'm trying to use a dynamic rule like the following: activate tcp $HOME_NET any -> $EXTERNAL_NET 1024 (msg:"Activating"; sid:100; activates:1;)
just guessing but shouldn't that be activates:101?
dynamic tcp any any <> any any (msg:"Dynamic not activated"; sid:101; activated_by:1; count: 10000;)
and this activated_by:100? IIUC those numbers are the SID to be activated and activated_by... FWIW: you should also make it a practice to use SID numbers greater than 1000000 so there's no problems or confusion if/when you add other rules sets to your setup... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Activate and dynamic rules Nicolas Matovelle Trigo (May 26)
- Re: Activate and dynamic rules wkitty42 (May 26)
- Re: Activate and dynamic rules Al Lewis (allewi) (May 26)