Snort mailing list archives

Previous By Date Next
Previous By Thread Next

host-specificity in dynamic rules?

From: Glenn Forbes Fleming Larratt <glratt () is rice edu>
Date: Tue, 8 Jan 2002 12:39:44 -0600 (CST)
1. Is there a way for an activate/dynamic rule pair to zero in on the
specific hosts detected by the activate rule? i.e., if I were to
write:

activate tcp !$HOME_NET any -> $HOME_NET 23 (flags:S+; activates:1; \
   msg:"Telnet SYN";)
dynamic TCP !$HOME_NET any -> $HOME_NET 23 (activated_by:1; count:10;)

, if I've understood it correctly, a SYN from an external host would
log the next ten Telnet packets from *anywhere* outside to *anywhere*
inside. I would like to have the dynamic rule zero in on the two hosts
in the packet that triggered the activate rule - does Snort have this
capability, either currently or planned?

2. More generally, is there further documentation available on
activate/dynamic pairs? Nothing in the FAQ, and the example in the
USAGE file is very generic.

Thanks for any info,

        -g


Glenn Forbes Fleming Larratt          glratt () rice edu
http://is.rice.edu/~glratt

There are imaginary bugs to chase in heaven.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: