[Snort-users] Having trouble with activate/dynamic..

Erik Fichtner emf at ...367...
Sat Mar 10 15:15:55 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm having a little bit of conceptual difficulty with the new activate/dynamic
rules, so I'm hoping someone who does understand them can explain it a little
better with an example....

What I want to do is take a rule like:

#ignore legitimate port unreachable messages
pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|0A 00 00 01|"; offset: 16;)

and be able to add a quick block of tests to this like:
# we made a dns request and it failed.
pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|00 35|"; offset: 26;)
# some other port unreachable we didn't expect....
alert icmp any any -> 10.0.0.1 any (msg:" ICMP Port Unreachable we didn't expect"; itype:3; icode:1;)

Is there any way to do this with activate/dynamic?  Or, for that matter, 
any way to do what I want? (a nested set of content/offset/depth blocks would
do the trick if we had those..)

Someone please whack me with the clue-bat, okay?

- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjqqi3oACgkQQ7EzrewLMS3z0QCfeft+jJUQ9TAyecfllsmI/GTY
4k0An3ZZx1exk//y7gdA2ggyGEH3+t9Y
=LBQ1
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list