[Snort-sigs] chaining rules

Blake Frantz blake at ...363...
Thu Feb 14 12:28:59 EST 2002


It is possible to chains rules together?  I have played with the
dynamic/activate parameters but I don't think they do what I'm looking
for.  

Let use 'x probe' (http://www.sys-security.com/html/projects/X.html) as an
example, below is a tcpdump of an x-probe:

13:38:40.675112 eth0 > www.host1.com.4010 > www.host2.com.32132: udp 70 (DF)
13:38:40.785112 eth0 < www.host2.com > www.host1.com: icmp: www.host2.com udp port 32132 unreachable [tos 0xc0]
13:38:40.785112 eth0 > www.host1.com > www.host2.com: icmp: echo request (DF) [tos 0x6,ECT]
13:38:40.865112 eth0 < www.host2.com > www.host1.com: icmp: echo reply [tos 0x6,ECT]
...


is it possible to check for a packet destined to 'host2' with a udp port
over 30000, then activate a rule to look for an echo request from the same
machine that issued the initial udp packet.  If this rule matches, alert
(x probe being used) or something to that effect?

and ideas ?

-Blake







More information about the Snort-sigs mailing list