[Snort-users] host-specificity in dynamic rules?

Glenn Forbes Fleming Larratt glratt at ...4500...
Tue Jan 8 10:40:03 EST 2002

1. Is there a way for an activate/dynamic rule pair to zero in on the
specific hosts detected by the activate rule? i.e., if I were to

activate tcp !$HOME_NET any -> $HOME_NET 23 (flags:S+; activates:1; \
   msg:"Telnet SYN";)
dynamic TCP !$HOME_NET any -> $HOME_NET 23 (activated_by:1; count:10;)

, if I've understood it correctly, a SYN from an external host would
log the next ten Telnet packets from *anywhere* outside to *anywhere*
inside. I would like to have the dynamic rule zero in on the two hosts
in the packet that triggered the activate rule - does Snort have this
capability, either currently or planned?

2. More generally, is there further documentation available on
activate/dynamic pairs? Nothing in the FAQ, and the example in the
USAGE file is very generic.

Thanks for any info,


Glenn Forbes Fleming Larratt          glratt at ...604...

There are imaginary bugs to chase in heaven.

