[Snort-devel] Activate/Dynamic versus tagging

Chris Green cmg at ...402...
Wed Mar 27 09:02:04 EST 2002


Bill McCarty <bmccarty at ...1217...> writes:

> I'm curious concerning the rationale for the planned replacement of
> activate/dynamic rules by tagging, which is mentioned in Section 2.2.6
> of the Snort User's Manual for version 1.8.4.
>
> Activate/dynamic rules provide a computationally more powerful
> capability than tagging, which merely enables logging of packets
> subsequent to a detected event. Activate/dynamic rules enable creation
> of rule sets that incorporate state, making it possible to signal
> events based on traffic history rather than merely characteristics of
> the current packet. It seems to me that this capability could be
> helpful in avoiding false positives. Granted, I'm not aware of any
> existing rule sets that capitalize on this opportunity.
>
> Is it possible that the planned demise of this capability might be
> reconsidered?

Replacing that functionality cleanly with tagging is what is going to
happen. In the fabled 2.0, we're going to have a way to tag and then
alert on tagged sessions that match foo condition.

activate/dynamic is meant to have a rule trigger the creation of a
logging rule.

Trouble is it adds the rule back for ALL packets so when you just
wanted a singular response code, you got a mess.

We are talking about how refactor that type of functionality

alert any any -> any 80 (content: "GET"; msg: "Wee"; sid: 1;)

tag 1 {
    host, 500, seconds
    action: watch;
    
}

alert any 80 -> any any (tagged_sid: 1;
             content: "HTTP/1.1"; msg: "HTTP cabable server"; sid: 2;)

tag 2 {
    host, 500, seconds
    action: log;
}

Something like this will be creatable.  What it finally ends up being,
we're debating.  something intuitive and something that lets you
update rules without manually editing your actions.
-- 
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod





More information about the Snort-devel mailing list