[Snort-users] host-specificity in dynamic rules?

Glenn Forbes Fleming Larratt glratt at ...4500...
Tue Jan 8 10:40:03 EST 2002


1. Is there a way for an activate/dynamic rule pair to zero in on the
specific hosts detected by the activate rule? i.e., if I were to
write:

activate tcp !$HOME_NET any -> $HOME_NET 23 (flags:S+; activates:1; \
   msg:"Telnet SYN";)
dynamic TCP !$HOME_NET any -> $HOME_NET 23 (activated_by:1; count:10;)

, if I've understood it correctly, a SYN from an external host would
log the next ten Telnet packets from *anywhere* outside to *anywhere*
inside. I would like to have the dynamic rule zero in on the two hosts
in the packet that triggered the activate rule - does Snort have this
capability, either currently or planned?

2. More generally, is there further documentation available on
activate/dynamic pairs? Nothing in the FAQ, and the example in the
USAGE file is very generic.

Thanks for any info,

	-g


Glenn Forbes Fleming Larratt          glratt at ...604...
http://is.rice.edu/~glratt

There are imaginary bugs to chase in heaven.





More information about the Snort-users mailing list