[Snort-users] Having trouble with activate/dynamic..
emf at ...367...
Mon Mar 12 09:42:09 EST 2001
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, Mar 12, 2001 at 02:05:13AM -0500, Martin Roesch wrote:
> Are you using the -o command line switch?
I'd like to be able to nest the rules, though, since snort isn't terribly
well behaved when it comes to processing rules in a specific order. ;)
Specifically, these two rules, when left by themselves, do not accomplish
the result I want..
pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|0A 00 00 01|"; offset: 16;)
pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|00 35|"; offset: 26;)
Rule 1 says that it's an unreachable to the proper IP. Rule 2 says that
it's an unreachable to port 53 (assuming no ip opts). But this is a logical
OR test, when what I want is a logical AND.
pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|0A 00 00 01|"; content:"|00 35|"; offset: 16; depth:32;)
looks right on the surface, but it makes no restrictions that each content
string appears at a specific place or in a specific order, although I admit
there's not much room to play around.
Security Administrator, ServerVault, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users