No subject


Thu Nov 23 16:31:58 EST 2017


which activated it. Also, dynamic and activate rules seem to need to be
on a one to one ratio. For example, if you had an activate rule that
alerted on some particular exploit that occured over socket
attacker:1026 <-> target:80, you can't have your dynamic rule capture
ONLY that traffic - you've got to capture any any <-> target:80. It
would be nice to have a dynamic rule such as:

dynamic tcp *dstip *dstport <-> *srcip *srcport (activated_by: 1; count:
50;)

This would then use the destination ip, port, source ip, and port for
the alert that activated this rule.

Unfortunately, (and I may be wrong about this) since activate and
dynamic rules are on a 1 to 1 basis, you can't have every single alert
generated by every activate rule activate a single dynamic rule.

I'm not sure if you're already doing this (and I don't think that you
are unless the event_reference field in unified is for this) but it
would be awesome if the log entries generated by the dynamic rule would
reference the alert which activated the dynamic rule.

Now, I have some questions about current behavior of dynamic rules. What
happens if you tell a dynamic rule to capture the next 50 packets, and
only 10 packets ever cross the network? Does the rule just sit there and
stay active? Could we have a 'timeout' option? Also, what happens if an
alert is triggered by an activate rule twice very quickly? Do two
instances of the activate rule get activated, or is the 'capture this
many packets' counter just incremented to capture those extra packets
requested by the second activation? Also, do packets logged by a dynamic
rule go into the snort unified packet log? (I'll try to do some
experiments to discern these things, but some official response would be
really great) :)

Thanks a lot,
Mathew Johnston






More information about the Snort-devel mailing list