[Snort-devel] dynamic rules
Philipp.Stadler at ...491...
Fri Jun 29 07:21:00 EDT 2001
I've an idea about dynamic rules and I want to know what you think about.
Following example will show my proposition (you need not to look exactly at the
rules, only the rule-header is important):
$HOME_NET is my own network "behind" SNORT.
$ATTACKER the IP of an possible attacker.
activate tcp !$HOME_NET any -> $HOME_NET 143 (flags: PA; content:
"|E8C0FFFFFF|\bin|; activates: 1; msg: "IMAP buffer overflow!";)
dynamic tcp $ATTACKER any -> $HOME_NET any (activated_by: 1;)
with this dynamic rule I want to log all packets from the Attacker to my Home
Network, so I can see all what he is trying to send to my network.
with the following packet I will trigger the activate-rule:
13:36:19.307815 > attacker.com.1025 > myimap.at.1023: P 31872:32196(324) ack 1
win 32120 <nop,nop,timestamp 16790928 2816101900> (DF)
now I will log the whole traffic from "attacker.com" to my home_net, but in
actual versions of SNORT
I can only specify static variables (like $HOME_NET).
So I want to reference in the dynamic rule to the original collected packet
(like this one above).
Sorry for my bad english, I hope you can understand what I mean, because I think
this would be a cool feature for SNORT.
debis Systemhaus Oesterreich GmbH
telephone: +(43) 1 599 03 - 4759
fax: +43 1 595 34 67- 4399
mail: Philipp.Stadler at ...491...
More information about the Snort-devel