[Snort-devel] Activate/Dynamic versus tagging

Bill McCarty bmccarty at ...1217...
Wed Mar 27 16:05:02 EST 2002

Hi Chris,

Thanks for the information! It sounds like you're aiming at what I want, 
after all <grin>. Action:watch is the part I didn't know of.

I just started designing a off-line data mining application that looks at 
the context of a packet as well as its content. By context, I mean such 
characteristics as the state of the connection (which can't be reliably 
determined by the deceitful TCP flags), the host history, and so on.

I'd like the application to generate rules usable by Snort. From what I can 
see, this may be possible using tagging, which could be configured to tag 
only the next upcoming packet associated with a connection (that is, a pair 
of sockets). Essentially, what I'm aiming at is a rule set that includes 
finite-state machines rather than single-shot rules.

I'm aware the high traffic volumes could cause packet loss and therefore 
weirdness when using stateful rules. But, for some networks, it's possible 
to buy a sufficiently fast box and pretty much avoid such issues.


--On Wednesday, March 27, 2002 12:01 PM -0500 Chris Green 
<cmg at ...402...> wrote:

> Bill McCarty <bmccarty at ...1217...> writes:
>> I'm curious concerning the rationale for the planned replacement of
>> activate/dynamic rules by tagging, which is mentioned in Section 2.2.6
>> of the Snort User's Manual for version 1.8.4.
>> Activate/dynamic rules provide a computationally more powerful
>> capability than tagging, which merely enables logging of packets
>> subsequent to a detected event. Activate/dynamic rules enable creation
>> of rule sets that incorporate state, making it possible to signal
>> events based on traffic history rather than merely characteristics of
>> the current packet. It seems to me that this capability could be
>> helpful in avoiding false positives. Granted, I'm not aware of any
>> existing rule sets that capitalize on this opportunity.
>> Is it possible that the planned demise of this capability might be
>> reconsidered?
> Replacing that functionality cleanly with tagging is what is going to
> happen. In the fabled 2.0, we're going to have a way to tag and then
> alert on tagged sessions that match foo condition.
> activate/dynamic is meant to have a rule trigger the creation of a
> logging rule.
> Trouble is it adds the rule back for ALL packets so when you just
> wanted a singular response code, you got a mess.
> We are talking about how refactor that type of functionality
> alert any any -> any 80 (content: "GET"; msg: "Wee"; sid: 1;)
> tag 1 {
>     host, 500, seconds
>     action: watch;
> }
> alert any 80 -> any any (tagged_sid: 1;
>              content: "HTTP/1.1"; msg: "HTTP cabable server"; sid: 2;)
> tag 2 {
>     host, 500, seconds
>     action: log;
> }
> Something like this will be creatable.  What it finally ends up being,
> we're debating.  something intuitive and something that lets you
> update rules without manually editing your actions.
> --
> Chris Green <cmg at ...402...>
>  "Not everyone holds these truths to be self-evident, so we've worked
>                   up a proof of them as Appendix A." --  Paul Prescod

Bill McCarty

More information about the Snort-devel mailing list