[Snort-users] a few questions...

waldo kitty wkitty42 at ...14940...
Sat Jul 6 09:14:07 EDT 2013


On 7/5/2013 21:24, Joel Esler wrote:
> We should probably think about removing dynamically activated rules. I've not
> met anyone that uses those (that didn't know about flowbits) in many years.

i don't know... the example i read in the docs seems to offer some nice 
possibilities... that example was about capturing the next 50 packets after 
detecting IMAP buffer overflow, IIRC...

i'm a bit confused by the method of determining the activator and the activatee, 
though... it would seem to be better to use the SIDs instead of some random 
number, wouldn't it?

activates:12345 where 12345 is the SID of the dynamically activated rule.
activated_by:12300 where 12300 is the SID of the activating rule.

or maybe i'm misunderstanding and the examples are not accurate and complete? 
both use "1" for their activate field and neither carries a SID :/

i can, in fact, see great potential for this and it may actually be exactly what 
i'm looking for to track and handle brute force signup attempts to web forums... 
i'm using flowbits for this but they do not cross sessions... they don't in my 
(admittedly old 2.8.6.1) production box, anyway... this might provide a method 
of handling multiple sessions in this process... or is this activation stuff 
also limited to only the current active session?

are the dynamic rules also only limited to logging the data? perhaps that can be 
expanded so they can watch and trigger additional dynamic rules or raise 
additional alerts?

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list