[Snort-users] host-specificity in dynamic rules?

Chris Green cmg at ...671...
Tue Jan 8 11:26:02 EST 2002


Glenn Forbes Fleming Larratt <glratt at ...4500...> writes:

> 1. Is there a way for an activate/dynamic rule pair to zero in on the
> specific hosts detected by the activate rule? i.e., if I were to
> write:

>
> activate tcp !$HOME_NET any -> $HOME_NET 23 (flags:S+; activates:1; \
>    msg:"Telnet SYN";)
> dynamic TCP !$HOME_NET any -> $HOME_NET 23 (activated_by:1;
> count:10;)

use tagging

alert tcp !$HOME_NET any -> $HOME_NET 23 (flags:S+; msg:"Telnet SYN";\
                                          tag: host, 10, seconds;)

to get the binary logs

>
> 2. More generally, is there further documentation available on
> activate/dynamic pairs? Nothing in the FAQ, and the example in the
> USAGE file is very generic.

It's original purpose was replaced with tags.   Tags will be fleshed
out more in the future ( 2.0 era )
-- 
Chris Green <cmg at ...671...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-users mailing list