[Snort-users] Sticky-drop

Patrick Walsh pwalsh at ...13543...
Wed Dec 7 07:33:04 EST 2005


	What's this?  Sticky-drop?  Can someone provide a link to more
information?  Google searches have not been fruitful.  I'm using snort
2.4.3 and a grep of the source tree for "sticky" came back with nothing.
Is there a patch?

	Also, are there any known bugs with connection resets?  I think the
reset packets may not be getting sent to both ends of the connection or
else might not have the proper source port set.

	Finally, there's a bug filed on Sourceforge that says that "After a lot
of tries, a packet can pass through snort-inline" [1].  Is this a
confirmed issue.  I've seen some behavior that suggests it could be
true, but I haven't tracked it down yet.

Thanks,

..Patrick

1. http://sourceforge.net/tracker/index.php?func=detail&aid=876404&group_id=78497&atid=553467



On Tue, 2005-12-06 at 11:19 -0600, Will Metcalf wrote:
> sticky-drop in snort-inline can do this.  You could probably
> accomplish the same thing with Snortsam In InlineMode(); but I haven't
> tried it.
> 
> Regards,
> 
> Will
> 
> On 12/6/05, oink at ...13658... <oink at ...13658...> wrote:
> > Hello,
> >
> > I would like to include a rule when another is triggered, for example:
> >
> > If this rule is triggered:
> > drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE
> > Malware Gator/Clarian Agent"; flow: to_server,established;
> > uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype:
> > policy-violation; reference:url,
> > www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306;
> > rev:5;)
> >
> > I would like to also trigger this rule for n minutes/seconds:
> > drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
> > connection initiated";)
> >
> > I've looked at the tagging option for rules but I need to drop them, not
> > just log them.
> >
> > Any ideas?
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> > for problems?  Stop!  Download the new AJAX search engine that makes
> > searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
Patrick Walsh
eSoft Incorporated
303.444.1600 x3350
http://www.esoft.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051207/9fb5a6b7/attachment.sig>


More information about the Snort-users mailing list