[Snort-devel] Activate/Dynamic versus tagging

Bill McCarty bmccarty at ...1217...
Tue Mar 26 11:48:03 EST 2002


I'm curious concerning the rationale for the planned replacement of 
activate/dynamic rules by tagging, which is mentioned in Section 2.2.6 of 
the Snort User's Manual for version 1.8.4.

Activate/dynamic rules provide a computationally more powerful capability 
than tagging, which merely enables logging of packets subsequent to a 
detected event. Activate/dynamic rules enable creation of rule sets that 
incorporate state, making it possible to signal events based on traffic 
history rather than merely characteristics of the current packet. It seems 
to me that this capability could be helpful in avoiding false positives. 
Granted, I'm not aware of any existing rule sets that capitalize on this 
opportunity.

Is it possible that the planned demise of this capability might be 
reconsidered?

I won't ask if it's possible that I'm missing a crucially important 
consideration or am otherwise entirely mistaken, as I KNOW this to be 
possible <grin>.

Cheers,

---------------------------------------------------
Bill McCarty




More information about the Snort-devel mailing list