[Snort-sigs] chaining rules

Brian bmc at ...95...
Fri Feb 15 07:43:31 EST 2002

According to Blake Frantz:
> It is possible to chains rules together?  I have played with the
> dynamic/activate parameters but I don't think they do what I'm looking
> for.  
> is it possible to check for a packet destined to 'host2' with a udp port
> over 30000, then activate a rule to look for an echo request from the same
> machine that issued the initial udp packet.  If this rule matches, alert
> (x probe being used) or something to that effect?
> and ideas ?

This is exactly what you are looking for.



More information about the Snort-sigs mailing list