Snort mailing list archives

Re: a few questions...

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 06 Jul 2013 09:14:07 -0400

On 7/5/2013 21:24, Joel Esler wrote:

We should probably think about removing dynamically activated rules. I've not
met anyone that uses those (that didn't know about flowbits) in many years.


i don't know... the example i read in the docs seems to offer some nice 
possibilities... that example was about capturing the next 50 packets after 
detecting IMAP buffer overflow, IIRC...

i'm a bit confused by the method of determining the activator and the activatee, 
though... it would seem to be better to use the SIDs instead of some random 
number, wouldn't it?

activates:12345 where 12345 is the SID of the dynamically activated rule.
activated_by:12300 where 12300 is the SID of the activating rule.

or maybe i'm misunderstanding and the examples are not accurate and complete? 
both use "1" for their activate field and neither carries a SID :/

i can, in fact, see great potential for this and it may actually be exactly what 
i'm looking for to track and handle brute force signup attempts to web forums... 
i'm using flowbits for this but they do not cross sessions... they don't in my 
(admittedly old 2.8.6.1) production box, anyway... this might provide a method 
of handling multiple sessions in this process... or is this activation stuff 
also limited to only the current active session?

are the dynamic rules also only limited to logging the data? perhaps that can be 
expanded so they can watch and trigger additional dynamic rules or raise 
additional alerts?

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

a few questions... waldo kitty (Jul 05)
- Re: a few questions... Russ Combs (Jul 05)
  - Re: a few questions... waldo kitty (Jul 05)
    - Re: a few questions... Joel Esler (Jul 05)
    - Re: a few questions... waldo kitty (Jul 06)
    - Re: a few questions... Russ Combs (Jul 08)
    - Re: a few questions... waldo kitty (Jul 09)