[Snort-devel] dynamic rules
roesch at ...402...
Fri Jun 29 09:27:25 EDT 2001
Use the tag subsystem built into 1.8.
activate tcp !$HOME_NET any -> $HOME_NET 143 \
(flags: PA; \
tag: src, host, 600, seconds; \
msg: "IMAP buffer overflow!";)
That'll do what you want (record all traffic from the host that caused
the alert to be generated for the next 10 minutes).
There's also a pointer in the tag struct for attaching an OptTreeNode to
the dynamic logging tag, which eventually (when I get around to it) will
allow us to generate real dynamic rules in terms of the hosts that are
involved in a connection.
Philipp Stadler wrote:
> I've an idea about dynamic rules and I want to know what you think about.
> Following example will show my proposition (you need not to look exactly at the
> rules, only the rule-header is important):
> $HOME_NET is my own network "behind" SNORT.
> $ATTACKER the IP of an possible attacker.
> activate tcp !$HOME_NET any -> $HOME_NET 143 (flags: PA; content:
> "|E8C0FFFFFF|\bin|; activates: 1; msg: "IMAP buffer overflow!";)
> dynamic tcp $ATTACKER any -> $HOME_NET any (activated_by: 1;)
> with this dynamic rule I want to log all packets from the Attacker to my Home
> Network, so I can see all what he is trying to send to my network.
> with the following packet I will trigger the activate-rule:
> 13:36:19.307815 > attacker.com.1025 > myimap.at.1023: P 31872:32196(324) ack 1
> win 32120 <nop,nop,timestamp 16790928 2816101900> (DF)
> now I will log the whole traffic from "attacker.com" to my home_net, but in
> actual versions of SNORT
> I can only specify static variables (like $HOME_NET).
> So I want to reference in the dynamic rule to the original collected packet
> (like this one above).
> Sorry for my bad english, I hope you can understand what I mean, because I think
> this would be a cool feature for SNORT.
> best regards
> Philipp Stadler
> debis Systemhaus Oesterreich GmbH
> Communication Platforms
> telephone: +(43) 1 599 03 - 4759
> fax: +43 1 595 34 67- 4399
> mail: Philipp.Stadler at ...491...
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org
More information about the Snort-devel