[Snort-users] activate dynamic

Slighter, Tim tslighter at ...5174...
Mon Jul 21 12:49:56 EDT 2003


Had posted earlier asking about how to accomplish the following:

When SOCKS or PROXY scans take place, there are usually several hundred or
even thousands within a very short period of time.  I had asked if there was
a way to instruct or craft snort so that it would log the first SOCKS or
PROXY scan but then stop logging any subsequent scans of this type from the
same host. (Similar to ISS event propogation).  Someone mentioned using
activate/dynamic, however, from all that I have seen, Activate/Dynamic is
another variation of "tagging" and I have no interest in tagging any of
these sessions.  Have also experimented with ruleset, but this essentially
would allow me to specify a ruleset that would allow of this type of traffic
to "PASS".  So, the precise goal here is to instruct snort to log or alert
the first and ONLY the first PROXY/SOCKS scan from a host and then do not
log or alert on the rest.  Unless I am overlooking something, is there
anyway to accomplish this?

Thanks





More information about the Snort-users mailing list