[Snort-users] host-specificity in dynamic rules?
Glenn Forbes Fleming Larratt
glratt at ...4500...
Tue Jan 8 10:40:03 EST 2002
1. Is there a way for an activate/dynamic rule pair to zero in on the
specific hosts detected by the activate rule? i.e., if I were to
activate tcp !$HOME_NET any -> $HOME_NET 23 (flags:S+; activates:1; \
dynamic TCP !$HOME_NET any -> $HOME_NET 23 (activated_by:1; count:10;)
, if I've understood it correctly, a SYN from an external host would
log the next ten Telnet packets from *anywhere* outside to *anywhere*
inside. I would like to have the dynamic rule zero in on the two hosts
in the packet that triggered the activate rule - does Snort have this
capability, either currently or planned?
2. More generally, is there further documentation available on
activate/dynamic pairs? Nothing in the FAQ, and the example in the
USAGE file is very generic.
Thanks for any info,
Glenn Forbes Fleming Larratt glratt at ...604...
There are imaginary bugs to chase in heaven.
More information about the Snort-users