[Snort-sigs] chaining rules
bmc at ...95...
Fri Feb 15 07:43:31 EST 2002
According to Blake Frantz:
> It is possible to chains rules together? I have played with the
> dynamic/activate parameters but I don't think they do what I'm looking
> is it possible to check for a packet destined to 'host2' with a udp port
> over 30000, then activate a rule to look for an echo request from the same
> machine that issued the initial udp packet. If this rule matches, alert
> (x probe being used) or something to that effect?
> and ideas ?
This is exactly what you are looking for.
More information about the Snort-sigs