[Snort-devel] dynamic rules

Martin Roesch roesch at ...402...
Fri Jun 29 09:27:25 EDT 2001


Use the tag subsystem built into 1.8.

activate tcp !$HOME_NET any -> $HOME_NET 143 \
	(flags: PA;                   \
	content:"|E8C0FFFFFF|\bin|;   \
	tag: src, host, 600, seconds; \
	msg: "IMAP buffer overflow!";)

That'll do what you want (record all traffic from the host that caused
the alert to be generated for the next 10 minutes).

There's also a pointer in the tag struct for attaching an OptTreeNode to
the dynamic logging tag, which eventually (when I get around to it) will
allow us to generate real dynamic rules in terms of the hosts that are
involved in a connection.

    -Marty

Philipp Stadler wrote:
> 
> Hi,
> 
> I've an idea about dynamic rules and I want to know what you think about.
> 
> Following example will show my proposition (you need not to look exactly at the
> rules, only the rule-header is important):
> 
> $HOME_NET is my own network "behind" SNORT.
> $ATTACKER the IP of an possible attacker.
> 
> activate tcp !$HOME_NET any -> $HOME_NET 143 (flags: PA; content:
> "|E8C0FFFFFF|\bin|; activates: 1; msg: "IMAP buffer overflow!";)
> 
> dynamic tcp $ATTACKER any -> $HOME_NET any (activated_by: 1;)
> 
> with this dynamic rule I want to log all packets from the Attacker to my Home
> Network, so I can see all what he is trying to send to my network.
> 
> with the following packet I will trigger the activate-rule:
> 
> 13:36:19.307815 > attacker.com.1025 > myimap.at.1023: P 31872:32196(324) ack 1
>           win 32120 <nop,nop,timestamp 16790928 2816101900> (DF)
> 
> now I will log the whole traffic from "attacker.com" to my home_net, but in
> actual versions of SNORT
> I can only specify static variables (like $HOME_NET).
> So I want to reference in the dynamic rule to the original collected packet
> (like this one above).
> 
> Sorry for my bad english, I hope you can understand what I mean, because I think
>  this would be a cool feature for SNORT.
> 
> best regards
> Philipp Stadler
> T-Systems
> debis Systemhaus Oesterreich GmbH
> Communication Platforms
> telephone: +(43) 1 599 03 - 4759
> fax: +43 1 595 34 67- 4399
> mail: Philipp.Stadler at ...491...
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list