Hosting Provided By

Re: [Snort-sigs] general sig question

From: Tom Arseneault <TArseneault(at)counterpane.com>
Date: Tue May 27 2003 - 18:45:35 EDT

For Snort <2.0 look at Activate/Dynamic (Section 2.2.6 in Snort Docs) (though probably not what you want) in Snort 2.0 look at tagging (Section 2.3.31 in Snort Docs).

Brian,

Am I reading the manual wrong? This seems to be exactly what he's asking for (tagging is anyway)?

2.3.31 Tag
The tag keyword allow rules to log more than just the single packet that triggered the rule. Once a rule is triggered, additional traffic involving the source host is ``tagged''. Tagged traffic is logged to allow analysis of response codes and post-attack traffic. See Figure 2.26 for usage examples.

Format

tag: <type>, <count>, <metric>, [direction]

type

session
log packets in the session that set off the rule host
log packets from the host that caused the tag to activate (uses [direction] modifier) count
Count is specified as a number of units. Units are specified in the <metric> field. metric

Do you need help?

packets
tag the host/session for <count> packets seconds
tag the host/session for <count> seconds

alert tcp !$HOME_NET any -> $HOME_NET 143 (flags: A+; \

      content: "|e8 c0ff ffff|/bin/sh";  tag: host, 300, packets, src; \
      msg: "IMAP Buffer overflow, tagging!";)

alert tcp !$HOME_NET any -> $HOME_NET 23 (flags: S; \
     tag: session, 10, seconds; msg: "incoming telnet session";)

Figure 2.26: Tag Keyword Examples

Orignal Note ================================ Date: Thu, 22 May 2003 08:00:28 -0400 From: Brian <bmc@snort.org> To: d_greenjr <d_greenjr@hotmail.com> Cc: snort-sigs@lists.sourceforge.net Subject: Re: [Snort-sigs] general sig question

On Thu, May 22, 2003 at 02:03:17AM -0400, d_greenjr wrote:
> Is there a way to have a rule alert-and/or log-only after the rule has been detected n amount of times from a specific source?
>
> For example, how can I edit the following rule to only alerts after the sensor detects this signature 20 times from a single node that is !$HOME_NET?

You can't do that in snort right now as we do not have thresholding support.

-brian

Tom Arseneault
Security Engineer
Counterpane Internet Security.
"All humans are born Right-Handed...but the great ones overcome it."

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue May 27 19:26:07 2003

This message: [ Message body ]
Next message: Erek Adams: "Re: [Snort-sigs] general sig question"
Previous message: Matt Kettler: "Re: [Snort-sigs] Nimda"
Maybe in reply to: d_greenjr: "[Snort-sigs] general sig question"
In reply to Brian: "Re: [Snort-sigs] general sig question"
Next in thread: Erek Adams: "Re: [Snort-sigs] general sig question"
Reply: Erek Adams: "Re: [Snort-sigs] general sig question"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT

Do you need more help?