[Snort-users] Activates/Dynamic

sekure sekure at ...11827...
Tue Aug 3 10:54:02 EDT 2004


Are Activate/Dynamic rules still supported in the more recent releases of Snort?

I have an interesting problem i am trying to solve, that I'd love to
use Activate/Dynamic for.  However the documentation is telling me
that the use of those options is being phased out in favor of tagging.

I don't think i can do what i want to do with tagging, so I'd like to
know if I can still use Activate/Dynamic in 2.2.0rc1.

For the curious ones, here is what i am trying to achieve:

Occasionally, during some really wierd hours, the CPU utilization on
one of my routers spikes to 70% or higher.  I know it's because of a
sudden spike in network traffic, but i don't know what the traffic is.
 I send snmp queries to the router which responds with the cpu
utilization.  I am using byte_test to check the value of the cpu
utilization and I'd like to activate the dynamic portion if the
utilization is above 40%. The dynamic rule would capture a million or
so packets.

I have a rule that if set to "alert" or even "activate", gets
triggered upon seeing the correct packet.  However the "dynamic" part
never does anything, so I am nowhere.

activate udp router 161 -> host any (msg:"Utilization above 12%";
activates:1; content:"|04 01 09 02 01 39 00 02 01|"; offset:36;
depth:9; byte_test:1,>,0x0B,0,relative;)

dynamic tcp any any -> any any (activated_by: 1; msg:"Activated"; count: 50;)

I don't think i can do this with tagging because i am trying to
capture ALL traffic, not just between the two hosts that generated the
original event.

Any ideas?




More information about the Snort-users mailing list