Snort mailing list archives
Re: Activate and dynamic rules
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 26 May 2016 14:11:35 +0000
Hello, FYI… The active/dynamic rules are being phased out. See the manual here: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html#SECTION00426000000000000000 It is recommended that tagging is used: Tagging section: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html#tag_section A tagging rule would be something like: alert tcp any any -> any any (msg:"TAGGED"; content:"GET"; tag:host,3,packets,src; sid:1;) This would log 3 packets after the initlal alert that have the source address in them. ./bin/snort -c etc/TEST.conf -r /home/alewis/Downloads/STUFF/CURL.pcap -l . -H -U -k none -q root@big-debbie:/var/tmp/snort-2.9.8.2# tcpdump -n -r snort.log.1464271674 reading from file snort.log.1464271674, link-type EN10MB (Ethernet) 05:28:13.430908 IP 10.0.2.15.49126 > 199.43.0.43.80: Flags [P.], seq 238023807:238023883, ack 109504002, win 29200, length 76 05:28:13.431802 IP 199.43.0.43.80 > 10.0.2.15.49126: Flags [.], ack 76, win 65535, length 0 05:28:13.456438 IP 199.43.0.43.80 > 10.0.2.15.49126: Flags [P.], seq 1:529, ack 76, win 65535, length 528 05:28:13.456486 IP 10.0.2.15.49126 > 199.43.0.43.80: Flags [.], ack 529, win 30016, length 0 root@big-debbie:/var/tmp/snort-2.9.8.2# Hope this helps. Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Nicolas Matovelle Trigo [mailto:nicolas.matovelle () tarlogic com] Sent: Thursday, May 26, 2016 7:56 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Activate and dynamic rules Hi, I've just started using snort and I can't get it working. I've installed it in a CentOS 7.2 virtual machine and configured it to act as gateway for other network and it works. At the first moment I set only the following rule: "alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP response"; sid:123)" And I could saw the responses on the alert file. But now I'm trying to use a dynamic rule like the following: activate tcp $HOME_NET any -> $EXTERNAL_NET 1024 (msg:"Activating"; sid:100; activates:1;) dynamic tcp any any <> any any (msg:"Dynamic not activated"; sid:101; activated_by:1; count: 10000;) The actual behavior is that snort alerts the "Activating" rule, but I never see the "Dynamic not activated" message. The only thing not common in my configuration is that I commented out the line "dynamicdetection directory /usr/local/lib/snort_dynamicrules" from the snort.conf as I don't have such directory and snort failed to start with that line. Thanks in advance for your attention, Nico.
------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Activate and dynamic rules Nicolas Matovelle Trigo (May 26)
- Re: Activate and dynamic rules wkitty42 (May 26)
- Re: Activate and dynamic rules Al Lewis (allewi) (May 26)