[Snort-devel] time range options for rules
frank at ...2134...
Wed Apr 21 15:46:07 EDT 2004
On Wed, 2004-04-21 at 17:38, Federico Castañeda wrote:
> There is any planned modification in rules options to include time
> range validation? For example, if I want to write a rule for a period
> of time, and include something like:
> valid_from: "2004-04-19"; valid_to: "2004-05-01";
I had brought up something similar in the past: A rule option that
specifies a time period. That allows someone to enable or disable a rule
during certain time period, for example, during batched FTP transfer
windows or virus update windows.
It may be to intensive for Snort to check the date on every packet. I
found that cron can help out tremendously for en/dis-abling rules on the
fly. That way Snort isn't bothered on every packet, but instead with a
HUP signal for reload of rules on the time boundaries.
The same should work for you with fixed dates. I would look at utilizing
scripts that are scheduled with the at command.
Warning at the Gates of Bill:
Abandon hope, all ye who press <ENTER> here...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel