[Snort-sigs] chaining rules

Brian bmc at ...95...
Fri Feb 15 07:43:31 EST 2002


According to Blake Frantz:
> It is possible to chains rules together?  I have played with the
> dynamic/activate parameters but I don't think they do what I'm looking
> for.  
>
> is it possible to check for a packet destined to 'host2' with a udp port
> over 30000, then activate a rule to look for an echo request from the same
> machine that issued the initial udp packet.  If this rule matches, alert
> (x probe being used) or something to that effect?
> 
> and ideas ?

This is exactly what you are looking for.

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.5

-brian





More information about the Snort-sigs mailing list