[Snort-sigs] (no subject)

Matt Kettler mkettler at ...189...
Tue Feb 11 12:14:02 EST 2003


There's no way to do any time-based behaviors using a snort rule. Snort 
rules are entirely stateless, with the exception of the flows features, and 
the flows feature isn't time based either.

This kind of thing would have to be done by writing some kind of snort 
preprocessor.

At 09:31 PM 2/11/2003 +0200, Carmit Partoush wrote:
>Hello all,
>
>I am using snort,
>
>I want to verify that in one telnet session, in one minute I will not
>received from the user more then 5 times the key "enter".('41')
>
>  I want snort to close the session when I received the fifth enter
>request.
>
>That for I defined a rule : #alert tcp $HOME_NET any -> $EXTERNAL_NET 23
>(msg:"TELNET login Type alarm alarm"; content:"|41|";)
>
>This rule recognized telnet request and the "enter" key ('41'). I want
>snort to reset the session that's  way I am using :
>
>RESP_TCP_URG resp:rst_all;  that's how I am closing the session.
>
>I have no idea how to tell the snort to use the rule that I defined only
>after I recognize 5 "enter" in one minute in one session.
>
>(now it close the session every time I am using telnet and "enter")
>
>any suggestion ???????
>
>Carmit
>
>
>
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld http://www.vasoftware.com
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list