[Snort-sigs] (no subject)

Henry B. Tindall, Jr. henry.tindall at ...1285...
Tue Feb 11 19:03:04 EST 2003


  I think I'd write a Perl script to tail the snort log looking for
entries from your custom rule.... use Date::hiRes or something of
that ilk to do the time differential.
  If you're on a Linux box acting as a gateway, forcing IPTables
to drop the connection shouldn't be a problem.

Henry B. Tindall, Jr.
  "There are only 10 kinds of people: Those who understand
binary and those who don't."


>Subject: Re: [Snort-sigs] (no subject)
>
>There's no way to do any time-based behaviors using a snort rule. Snort
>rules are entirely stateless, with the exception of the flows features,
and
>the flows feature isn't time based either.
>
>This kind of thing would have to be done by writing some kind of snort
>preprocessor.
>
>At 09:31 PM 2/11/2003 +0200, Carmit Partoush wrote:
>>Hello all,
>>
>>I am using snort,
>>
>>I want to verify that in one telnet session, in one minute I will not
>>received from the user more then 5 times the key "enter".('41')
>>
>>  I want snort to close the session when I received the fifth enter
>>request.
>>
>>That for I defined a rule : #alert tcp $HOME_NET any -> $EXTERNAL_NET
23
>>(msg:"TELNET login Type alarm alarm"; content:"|41|";)
>>
>>This rule recognized telnet request and the "enter" key ('41'). I want
>>snort to reset the session that's  way I am using :
>>
>>RESP_TCP_URG resp:rst_all;  that's how I am closing the session.
>>
>>I have no idea how to tell the snort to use the rule that I defined
only
>>after I recognize 5 "enter" in one minute in one session.
>>
>>(now it close the session every time I am using telnet and "enter")
>>
>>any suggestion ???????
>>
>>Carmit





More information about the Snort-sigs mailing list