[Snort-users] Having trouble with activate/dynamic..

Erik Fichtner emf at ...367...
Mon Mar 12 09:42:09 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Mar 12, 2001 at 02:05:13AM -0500, Martin Roesch wrote:
> Are you using the -o command line switch?

Yeah.

I'd like to be able to nest the rules, though, since snort isn't terribly 
well behaved when it comes to processing rules in a specific order. ;)

Specifically, these two rules, when left by themselves, do not accomplish
the result I want..

pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|0A 00 00 01|"; offset: 16;)
pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|00 35|"; offset: 26;)


Rule 1 says that it's an unreachable to the proper IP.   Rule 2 says that
it's an unreachable to port 53 (assuming no ip opts).   But this is a logical
OR test, when what I want is a logical AND.  

Furthermore

pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|0A 00 00 01|"; content:"|00 35|"; offset: 16; depth:32;)

looks right on the surface, but it makes no restrictions that each content 
string appears at a specific place or in a specific order, although I admit 
there's not much room to play around. 


- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjqs4EAACgkQQ7EzrewLMS1b4wCfY0Jv380hh5ed6JZnBhSVFh1W
tEQAn1VGU198K8L8x8Rj2pCoFFkCLODD
=8iLw
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list