[Snort-users] host-specificity in dynamic rules?
cmg at ...671...
Tue Jan 8 11:26:02 EST 2002
Glenn Forbes Fleming Larratt <glratt at ...4500...> writes:
> 1. Is there a way for an activate/dynamic rule pair to zero in on the
> specific hosts detected by the activate rule? i.e., if I were to
> activate tcp !$HOME_NET any -> $HOME_NET 23 (flags:S+; activates:1; \
> msg:"Telnet SYN";)
> dynamic TCP !$HOME_NET any -> $HOME_NET 23 (activated_by:1;
alert tcp !$HOME_NET any -> $HOME_NET 23 (flags:S+; msg:"Telnet SYN";\
tag: host, 10, seconds;)
to get the binary logs
> 2. More generally, is there further documentation available on
> activate/dynamic pairs? Nothing in the FAQ, and the example in the
> USAGE file is very generic.
It's original purpose was replaced with tags. Tags will be fleshed
out more in the future ( 2.0 era )
Chris Green <cmg at ...671...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-users