[Snort-users] Can I automatically include rules?

oink at ...13658... oink at ...13658...
Tue Dec 6 09:17:03 EST 2005


Hello,

I would like to include a rule when another is triggered, for example:

If this rule is triggered:
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE
Malware Gator/Clarian Agent"; flow: to_server,established;
uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype:
policy-violation; reference:url,
www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306;
rev:5;)

I would like to also trigger this rule for n minutes/seconds:
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)

I've looked at the tagging option for rules but I need to drop them, not
just log them.

Any ideas?





More information about the Snort-users mailing list