[Snort-users] Having trouble with activate/dynamic..
emf at ...367...
Sat Mar 10 15:15:55 EST 2001
-----BEGIN PGP SIGNED MESSAGE-----
I'm having a little bit of conceptual difficulty with the new activate/dynamic
rules, so I'm hoping someone who does understand them can explain it a little
better with an example....
What I want to do is take a rule like:
#ignore legitimate port unreachable messages
pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|0A 00 00 01|"; offset: 16;)
and be able to add a quick block of tests to this like:
# we made a dns request and it failed.
pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|00 35|"; offset: 26;)
# some other port unreachable we didn't expect....
alert icmp any any -> 10.0.0.1 any (msg:" ICMP Port Unreachable we didn't expect"; itype:3; icode:1;)
Is there any way to do this with activate/dynamic? Or, for that matter,
any way to do what I want? (a nested set of content/offset/depth blocks would
do the trick if we had those..)
Someone please whack me with the clue-bat, okay?
Security Administrator, ServerVault, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users