[Snort-sigs] general sig question

Tom Arseneault TArseneault at ...1491...
Tue May 27 15:46:12 EDT 2003


For Snort <2.0 look at Activate/Dynamic (Section 2.2.6 in Snort Docs) (though probably not what you want) in Snort 2.0 look at tagging (Section 2.3.31 in Snort Docs).

Brian,
	Am I reading the manual wrong? This seems to be exactly what he's asking for (tagging is anyway)?

2.3.31  Tag 
The tag keyword allow rules to log more than just the single packet that triggered the rule. Once a rule is triggered, additional traffic involving the source host is ``tagged''. Tagged traffic is logged to allow analysis of response codes and post-attack traffic. See Figure 2.26 for usage examples. 


Format

tag: <type>, <count>, <metric>, [direction]



type 
  
session 
log packets in the session that set off the rule 
host 
log packets from the host that caused the tag to activate (uses [direction] modifier) 
count 
Count is specified as a number of units. Units are specified in the <metric> field. 
metric 
  
packets 
tag the host/session for <count> packets 
seconds 
tag the host/session for <count> seconds 

alert tcp !$HOME_NET any -> $HOME_NET 143 (flags: A+; \
      content: "|e8 c0ff ffff|/bin/sh";  tag: host, 300, packets, src; \
      msg: "IMAP Buffer overflow, tagging!";)

alert tcp !$HOME_NET any -> $HOME_NET 23 (flags: S; \
     tag: session, 10, seconds; msg: "incoming telnet session";)



Figure 2.26: Tag Keyword Examples 

================== Orignal Note ================================ 
Date: Thu, 22 May 2003 08:00:28 -0400
From: Brian <bmc at ...95...>
To: d_greenjr <d_greenjr at ...12...>
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] general sig question

On Thu, May 22, 2003 at 02:03:17AM -0400, d_greenjr wrote:
> Is there a way to have a rule alert-and/or log-only after the rule has been detected n amount of times from a specific source?
> 
> For example, how can I edit the following rule to only alerts after the sensor detects this signature 20 times from a single node that is !$HOME_NET?

You can't do that in snort right now as we do not have thresholding support.

-brian

Tom Arseneault
Security Engineer
Counterpane Internet Security.
"All humans are born Right-Handed...but the great ones overcome it."
 




More information about the Snort-sigs mailing list