[Snort-users] help: how to use binder to give different flow with different ips-rules ?

sofardware sofardware at 126.com
Wed Mar 13 03:22:40 EDT 2019


      Hi all,
           For example,what I want to :
           when source net = 1.1.1.1/16 ,use ips rule files:snort3-browser-ie.rules,snort3-browser-firefox.rules
           when source net = 1.1.1.1/16 ,use ips rule files:snort3-indicator-shellcode.rules,snort3-malware-backdoor.rules

          How can use the flow binder :
          string binder[].use.ips_policy: use ips policy from given file   //what should be filled in the given file ? The snort3 manual does not say what is ips_policy
          ips =
         {

           include = 'snort3-browser-ie.rules'
         } // Is this a ips_policy ??? ,if yes, what is the different to realize the above thing with binder[].use.ips_policy and binder[].use.file ???

                           
         other help needed:
         how can the follow binders be used? There is no detail help info or example in  --help or manual
         string binder[].use.inspection_policy: use inspection policy from given file
         string binder[].use.network_policy: use network policy from given file

         int binder[].when.ips_policy_id = 0: unique ID for selection of this config by external logic { 0: }





 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190313/a8f10c4e/attachment.html>


More information about the Snort-users mailing list