[Snort-users] Rule Chaining

Brian bmc at ...950...
Fri Feb 25 11:14:31 EST 2005


On Thu, Feb 24, 2005 at 09:25:35PM -0800, Madhur Nagar wrote:
> 1. Rule Chaining - one rule calling another

FYI, most uses of activate/dynamic should be replaced with flowbits.
Sure flowbits only works on a single flow, but it works oh so much
better than activate/dynamic rules.

> 2. Stateful Checking - Checking for a content in say 10 packets and
> only if the content of all the 10 matches then take some action

Sure, thresholding can do this.

> 3. Remote Rule Updation

Sounds like you need snort-perl 1.0 :P.  Remote rule installation was
one of the primary features I added in my latest iteration of snort +
perl.

    http://www.shmoo.com/~bmc/software/snort-perl/

Brian




More information about the Snort-users mailing list