[Snort-users] a few questions...
wkitty42 at ...14940...
Sat Jul 6 09:14:07 EDT 2013
On 7/5/2013 21:24, Joel Esler wrote:
> We should probably think about removing dynamically activated rules. I've not
> met anyone that uses those (that didn't know about flowbits) in many years.
i don't know... the example i read in the docs seems to offer some nice
possibilities... that example was about capturing the next 50 packets after
detecting IMAP buffer overflow, IIRC...
i'm a bit confused by the method of determining the activator and the activatee,
though... it would seem to be better to use the SIDs instead of some random
number, wouldn't it?
activates:12345 where 12345 is the SID of the dynamically activated rule.
activated_by:12300 where 12300 is the SID of the activating rule.
or maybe i'm misunderstanding and the examples are not accurate and complete?
both use "1" for their activate field and neither carries a SID :/
i can, in fact, see great potential for this and it may actually be exactly what
i'm looking for to track and handle brute force signup attempts to web forums...
i'm using flowbits for this but they do not cross sessions... they don't in my
(admittedly old 184.108.40.206) production box, anyway... this might provide a method
of handling multiple sessions in this process... or is this activation stuff
also limited to only the current active session?
are the dynamic rules also only limited to logging the data? perhaps that can be
expanded so they can watch and trigger additional dynamic rules or raise
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users