[Snort-users] activate/dynamic rules problem

Joel Esler (jesler) jesler at ...589...
Mon Jan 12 09:53:58 EST 2015


> On Jan 11, 2015, at 8:21 AM, Mark Greenman <mark.greenman.014 at ...11827...> wrote:
> 
> Hi. Do you know the reason for this warning after using activate/dynamic rules:
> 
> WARNING: an activation rule with no dynamic rules matched.
> 
> The set of rules that I have used in the experiment are:
> 
> activate tcp 192.168.5.32 80 -> 192.168.4.22 50444 (msg:"adc!"; content:"Tree"; activates:1; sid:1000001;)
> dynamic tcp 192.168.5.32 80 -> 192.168.4.22 50444 (msg:"dyn!"; activated_by:1; count:3; sid:1000002;)


Are you sure “flowbits” aren’t a better option for what you are trying to do?

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150112/80023d46/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150112/80023d46/attachment.bin>


More information about the Snort-users mailing list