[Snort-devel] time range options for rules

Frank Knobbe frank at ...2134...
Wed Apr 21 15:46:07 EDT 2004


On Wed, 2004-04-21 at 17:38, Federico Castañeda wrote:
> There is any planned modification in rules options to include time
> range validation? For example, if I want to write a rule for a period
> of time, and include something like:
> 
> valid_from: "2004-04-19"; valid_to: "2004-05-01";

I had brought up something similar in the past: A rule option that
specifies a time period. That allows someone to enable or disable a rule
during certain time period, for example, during batched FTP transfer
windows or virus update windows.

It may be to intensive for Snort to check the date on every packet. I
found that cron can help out tremendously for en/dis-abling rules on the
fly. That way Snort isn't bothered on every packet, but instead with a
HUP signal for reload of rules on the time boundaries.

The same should work for you with fixed dates. I would look at utilizing
scripts that are scheduled with the at command.

Regards,
Frank


-- 
Warning at the Gates of Bill:  
Abandon hope, all ye who press <ENTER> here...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040421/a91521b5/attachment.sig>


More information about the Snort-devel mailing list