[Snort-users] Dynamic rules

Martin Roesch roesch at ...421...
Fri Jan 26 11:00:28 EST 2001

Simon Attwell wrote:
> In reading through some of the dynamic rule documentation I could find no clue to the following.
> In the case that a packet trips a specific signature, on a content base, I would like to be able
> to log the entire conversation from that point, i.e. all packets coming from that source
> until a packet limit is reached or until a tcp fin is seen.
> Is there a way to dynamically access the ip/tcp/udp header information from the packet that triggered
> the initial alert ?

Not yet.  The initial dynamic rule implementation was actually pretty
primitive and just sets a rule "active" when the associated activate
rule fires.  I'm working on a method that will allow you to do both
session tagging (when rule 'blah' fires, tag the session|host|network
that originated it and record all packets from that source) and
targetable dynamic rules (communicate the target/attacker info to the
dynamic rule).

I'm planning on implementing this idea in the next week or two, so
please stay tuned. :)


Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list