sekure at ...11827...
Tue Aug 3 10:54:02 EDT 2004
Are Activate/Dynamic rules still supported in the more recent releases of Snort?
I have an interesting problem i am trying to solve, that I'd love to
use Activate/Dynamic for. However the documentation is telling me
that the use of those options is being phased out in favor of tagging.
I don't think i can do what i want to do with tagging, so I'd like to
know if I can still use Activate/Dynamic in 2.2.0rc1.
For the curious ones, here is what i am trying to achieve:
Occasionally, during some really wierd hours, the CPU utilization on
one of my routers spikes to 70% or higher. I know it's because of a
sudden spike in network traffic, but i don't know what the traffic is.
I send snmp queries to the router which responds with the cpu
utilization. I am using byte_test to check the value of the cpu
utilization and I'd like to activate the dynamic portion if the
utilization is above 40%. The dynamic rule would capture a million or
I have a rule that if set to "alert" or even "activate", gets
triggered upon seeing the correct packet. However the "dynamic" part
never does anything, so I am nowhere.
activate udp router 161 -> host any (msg:"Utilization above 12%";
activates:1; content:"|04 01 09 02 01 39 00 02 01|"; offset:36;
dynamic tcp any any -> any any (activated_by: 1; msg:"Activated"; count: 50;)
I don't think i can do this with tagging because i am trying to
capture ALL traffic, not just between the two hosts that generated the
More information about the Snort-users