[Snort-sigs] (no subject)
carmit at ...1282...
Tue Feb 11 12:30:07 EST 2003
How can I write snort preprocessor????
And how I put it in the rule I defined?
From: Matt Kettler [mailto:mkettler at ...189...]
Sent: Tuesday, February 11, 2003 10:12 PM
To: Carmit Partoush; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] (no subject)
There's no way to do any time-based behaviors using a snort rule. Snort
rules are entirely stateless, with the exception of the flows features,
the flows feature isn't time based either.
This kind of thing would have to be done by writing some kind of snort
At 09:31 PM 2/11/2003 +0200, Carmit Partoush wrote:
>I am using snort,
>I want to verify that in one telnet session, in one minute I will not
>received from the user more then 5 times the key "enter".('41')
> I want snort to close the session when I received the fifth enter
>That for I defined a rule : #alert tcp $HOME_NET any -> $EXTERNAL_NET
>(msg:"TELNET login Type alarm alarm"; content:"|41|";)
>This rule recognized telnet request and the "enter" key ('41'). I want
>snort to reset the session that's way I am using :
>RESP_TCP_URG resp:rst_all; that's how I am closing the session.
>I have no idea how to tell the snort to use the rule that I defined
>after I recognize 5 "enter" in one minute in one session.
>(now it close the session every time I am using telnet and "enter")
>any suggestion ???????
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs