What's this? Sticky-drop? Can someone provide a link to more
information? Google searches have not been fruitful. I'm using snort
2.4.3 and a grep of the source tree for "sticky" came back with nothing.
Is there a patch?
Also, are there any known bugs with connection resets? I think the
reset packets may not be getting sent to both ends of the connection or
else might not have the proper source port set.
Finally, there's a bug filed on Sourceforge that says that "After a lot
of tries, a packet can pass through snort-inline" [1]. Is this a
confirmed issue. I've seen some behavior that suggests it could be
true, but I haven't tracked it down yet.
Thanks,
..Patrick
1.
http://sourceforge.net/tracker/index.php?func=detail&aid=876404&group_id=78497&atid=553467
On Tue, 2005-12-06 at 11:19 -0600, Will Metcalf wrote:
sticky-drop in snort-inline can do this. You could probably
accomplish the same thing with Snortsam In InlineMode(); but I haven't
tried it.
Regards,
Will
On 12/6/05, oink@signalno9.org <oink@signalno9.org> wrote:
Hello,
I would like to include a rule when another is triggered, for example:
If this rule is triggered:
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE
Malware Gator/Clarian Agent"; flow: to_server,established;
uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype:
policy-violation; reference:url,
www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306;
rev:5;)
I would like to also trigger this rule for n minutes/seconds:
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)
I've looked at the tagging option for rules but I need to drop them, not
just log them.
Any ideas?
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id�865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Patrick Walsh
eSoft Incorporated
303.444.1600 x3350
http://www.esoft.com/
signature.asc
Description: This is a digitally signed message part
