[Snort-devel] dynamic rules

Philipp Stadler Philipp.Stadler at ...491...
Fri Jun 29 07:21:00 EDT 2001


I've an idea about dynamic rules and I want to know what you think about.

Following example will show my proposition (you need not to look exactly at the
rules, only the rule-header is important):

$HOME_NET is my own network "behind" SNORT.
$ATTACKER the IP of an possible attacker.

activate tcp !$HOME_NET any -> $HOME_NET 143 (flags: PA; content:
"|E8C0FFFFFF|\bin|; activates: 1; msg: "IMAP buffer overflow!";)

dynamic tcp $ATTACKER any -> $HOME_NET any (activated_by: 1;)

with this dynamic rule I want to log all packets from the Attacker to my Home
Network, so I can see all what he is trying to send to my network.

with the following packet I will trigger the activate-rule:

13:36:19.307815 > attacker.com.1025 > myimap.at.1023: P 31872:32196(324) ack 1
          win 32120 <nop,nop,timestamp 16790928 2816101900> (DF)

now I will log the whole traffic from "attacker.com" to my home_net, but in
actual versions of SNORT
I can only specify static variables (like $HOME_NET).
So I want to reference in the dynamic rule to the original collected packet
(like this one above).

Sorry for my bad english, I hope you can understand what I mean, because I think
 this would be a cool feature for SNORT.

best regards
Philipp Stadler
debis Systemhaus Oesterreich GmbH
Communication Platforms
telephone: +(43) 1 599 03 - 4759
fax: +43 1 595 34 67- 4399
mail: Philipp.Stadler at ...491...

More information about the Snort-devel mailing list