|
|
|
|
Snort Forums Archive
Archive Home » Snort Development » SNORT rules dependency
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
SNORT rules dependency
Posted by niteshg on June 28, 2005 07:19:25
I wanted to know whether any of the snort rules are dependent on each other.
Are there some rules which cannot trigger before some other rule trigger?
I went through books on Snort and snort links but could not find any information on dependency.I thought that the rules are independent of each other and can trigger irrespective of other rules.
|
|
Posted by roesch on June 28, 2005 11:54:55
Snort rules don't generally have dependencies unless you're using the flowbits keyword in a set of rules. If you use flowbits you can setup dependencies so that you can do stateful analysis and basic communication between rules.
|
|
Posted by niteshg on June 29, 2005 06:44:44
Hello Roesch,
I tried to find some information on flowbits but could not find any helpful one. The snort book " Snort Intrusion Detection 2.0 doesnt mention anything about the flowbits and the little information on snort user manual is not of much help.I went through some rules in the Snort Database ,especially the rules with the flowbits option but cant understand if there is any interdependency between them. Are there any rules in the snort database containining dependency? If I know that particular rules have dependency then I can try to figure out the details.
Thanks,
Nitesh
|
|
Posted by roesch on June 29, 2005 18:23:30
Look in the doc directory, there's a README.flowbits file in there (and a lot of other really helpful
documentation...)
-Marty
|
|
Posted by niteshg on June 30, 2005 09:17:40
Thanks.Will look into it.
Nitesh |
|
Posted by niteshg on June 30, 2005 09:47:39
Thanks.Will look into it.
Nitesh |
|
|
|
|
|
