OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Dynamic Rules?
From: Martin Roesch (roeschhiverworld.com)
Date: Wed Mar 22 2000 - 15:59:53 CST

I'm actually planning on implementing something like this pretty soon by
adding a flag to the rules data structures to mark them active or
inactive. Rules that activate follow-on logging will have a pointer to
the inactive RTN/OTN node that they activate, which it will set active
when the "key rule" activates. The rules which go active/inactive will
have a counter that gets decremented each time they are referenced. I
think in this way we can do what you describe in a computationally
inexpensive manner. The only tricky thing is setting up a rule option
type that will be able to activate the other rules correctly (i.e. the
activation function needs to be the last thing that happens before the
RuleListEnd or OptListEnd functions get called). I'll describe why if
any one's interested.....

    -Marty

David Klotz wrote:
>
> I'm fairly new to Snort, but after a few weeks of use I'm pretty impressed.
> It even allowed us to spot an actual penetration which might have otherwise
> gone unnoticed. One feature that I would really like, and am even thinking
> of adding myself, would be some way to add, or turn on, rules dynamically.
>
> For example, we noticed an unusual outgoing TELNET-daemon-active alert a
> couple days ago, and upon further investigation we realized it was the
> result of a break-in. What would really have been helpful at that point
> would have been the ability to start logging _all_ telnet traffic between
> our internal host and the suspect external one, and maybe even add a few
> more alerts that were specific to the suspect host. I've looked through the
> documentation and the newest "Writing Snort Rules" and didn't see anything
> that would allow this. I haven't looked closely at plugins, but I gather
> that might not be the way to go. On the other hand, changing the source
> code to do something like this doesn't look to hard.
>
> Does anyone know of anything that would do this? Am I missing something
> obvious? If someone has already done the work, I'd just as soon steal it
> from them rather then duplicate the effort.
>
> Thanks,
>
> DK
>
> --
> David Klotz
> Computer Security Lab
> UC - Davis
> klotzcs.ucdavis.edu 

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment