[Snort-users] Having trouble with activate/dynamic..

Martin Roesch roesch at ...421...
Mon Mar 12 02:05:13 EST 2001


Are you using the -o command line switch?

    -Marty

Erik Fichtner wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I'm having a little bit of conceptual difficulty with the new activate/dynamic
> rules, so I'm hoping someone who does understand them can explain it a little
> better with an example....
> 
> What I want to do is take a rule like:
> 
> #ignore legitimate port unreachable messages
> pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|0A 00 00 01|"; offset: 16;)
> 
> and be able to add a quick block of tests to this like:
> # we made a dns request and it failed.
> pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|00 35|"; offset: 26;)
> # some other port unreachable we didn't expect....
> alert icmp any any -> 10.0.0.1 any (msg:" ICMP Port Unreachable we didn't expect"; itype:3; icode:1;)
> 
> Is there any way to do this with activate/dynamic?  Or, for that matter,
> any way to do what I want? (a nested set of content/offset/depth blocks would
> do the trick if we had those..)
> 
> Someone please whack me with the clue-bat, okay?
> 
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> 
> iEYEARECAAYFAjqqi3oACgkQQ7EzrewLMS3z0QCfeft+jJUQ9TAyecfllsmI/GTY
> 4k0An3ZZx1exk//y7gdA2ggyGEH3+t9Y
> =LBQ1
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list