<p><br>Hello,</p>
<p>I would like to include a rule when another is triggered, for example:</p>
<p>If this rule is triggered:<br>drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE<br>Malware Gator/Clarian Agent"; flow: to_server,established;<br>uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype:
<br>policy-violation; reference:url,<br><a href="http://www3.ca.com/securityadvisor/pest/content.aspx?q=67999">www3.ca.com/securityadvisor/pest/content.aspx?q=67999</a>; sid: 2001306;<br>rev:5;)</p>
<p>I would like to also trigger this rule for n minutes/seconds:<br>drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80<br>connection initiated";)</p>
<p>I've looked at the tagging option for rules but I need to drop them, not<br>just log them.</p>
<p>Any ideas?</p>
<p> </p>
<p><a href="http://www.webservertalk.com/archive251-2005-12-1314914.html">http://www.webservertalk.com/archive251-2005-12-1314914.html</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2006-December/004607.html">
http://lists.ibiblio.org/pipermail/cc-licenses/2006-December/004607.html</a><br><a href="http://www.webservertalk.com/archive251-2005-12-1309708.html">http://www.webservertalk.com/archive251-2005-12-1309708.html</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2006-December/004731.html">
http://lists.ibiblio.org/pipermail/cc-licenses/2006-December/004731.html</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2004-June/000915.html">http://lists.ibiblio.org/pipermail/cc-licenses/2004-June/000915.html
</a><br><a href="http://9fans.net/archive/2005/04/4">http://9fans.net/archive/2005/04/4</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2006-October/004203.html">http://lists.ibiblio.org/pipermail/cc-licenses/2006-October/004203.html
</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2005-March/001764.html">http://lists.ibiblio.org/pipermail/cc-licenses/2005-March/001764.html</a><br><a href="http://www.webservertalk.com/archive251-2005-10-1221632.html">
http://www.webservertalk.com/archive251-2005-10-1221632.html</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2006-October/004360.html">http://lists.ibiblio.org/pipermail/cc-licenses/2006-October/004360.html
</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2006-October/004454.html">http://lists.ibiblio.org/pipermail/cc-licenses/2006-October/004454.html</a><br><a href="http://9fans.net/archive/2005/04/251">http://9fans.net/archive/2005/04/251
</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2007-January/004931.html">http://lists.ibiblio.org/pipermail/cc-licenses/2007-January/004931.html</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2005-March/001765.html">
http://lists.ibiblio.org/pipermail/cc-licenses/2005-March/001765.html</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2007-January/004931.html">http://lists.ibiblio.org/pipermail/cc-licenses/2007-January/004931.html
</a><br><a href="http://root.cern.ch/root/roottalk/roottalk05/2994.html">http://root.cern.ch/root/roottalk/roottalk05/2994.html</a><br><a href="http://root.cern.ch/root/roottalk/roottalk05/2578.html">http://root.cern.ch/root/roottalk/roottalk05/2578.html
</a><br><a href="http://root.cern.ch/root/roottalk/roottalk04/2681.html">http://root.cern.ch/root/roottalk/roottalk04/2681.html</a><br><a href="http://9fans.net/archive/2005/04/366">http://9fans.net/archive/2005/04/366</a>
<br><a href="http://root.cern.ch/root/roottalk/roottalk05/2439.html">http://root.cern.ch/root/roottalk/roottalk05/2439.html</a><br><a href="http://root.cern.ch/root/roottalk/roottalk05/0505.html">http://root.cern.ch/root/roottalk/roottalk05/0505.html
</a><br><a href="http://sourceforge.net/mailarchive/message.php?msg_id=8539894">http://sourceforge.net/mailarchive/message.php?msg_id=8539894</a><br><a href="http://sourceforge.net/mailarchive/forum.php?thread_id=5617912&forum_id=9566">
http://sourceforge.net/mailarchive/forum.php?thread_id=5617912&forum_id=9566</a><br><a href="http://lists.us.dell.com/pipermail/dkms-devel/2005-December/000417.html">http://lists.us.dell.com/pipermail/dkms-devel/2005-December/000417.html
</a><br><a href="http://lists.us.dell.com/pipermail/dkms-devel/2005-March/000309.html">http://lists.us.dell.com/pipermail/dkms-devel/2005-March/000309.html</a><br><a href="http://www.webservertalk.com/archive251-2005-10-1222482.html">
http://www.webservertalk.com/archive251-2005-10-1222482.html</a></p>
<p>Sguil (pronounced sgweel) is built by network security analysts for<br>network security analysts. Sguil's main component is an intuitive GUI<br>that provides realtime events from snort/barnyard. It also includes<br>
other components which facilitate the practice of Network Security<br>Monitoring and event driven analysis of IDS alerts. The sguil client<br>is written in tcl/tk and can be run on any operating system that<br>supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
</p>
<p>Sguil version 0.6.0 contains two significant differences from previous<br>versions. The first difference is the use of the mysql MRG_MyISAM<br>(MERGE) engine for the sancp, event, *hdr, and data tables. With the<br>MERGE engine, it is possible to keep hundreds of millions of rows of
<br>data active and online and still be functional (queries to the DB are<br>reasonably responsive). The use of MERGE and the associated schema<br>makes backing up and restoring data amazingly simple and quick. The<br>UPGRADE text in the
sguil-0.6.0/doc directory of the source contains<br>more detail as well as upgrade instructions.</p>
<p>The second major change was to the sguil output plugin for barnyard<br>(op_sguil) and the communications structure between the sensors and<br>sguild. Op_sguil now uses tcl libraries and sends data via localhost<br>to the sensor's agent. All communications between the sensor and
<br>sguild now flow thru sensor_agent. This means the mysql libraries are<br>no longer needed on the sensors. Since barnyard does not need to be<br>compiled with mysql support, op_sguil (barnyard) and mysql 4+ may be<br>used together without any license conflicts.
</p>
<p><br><a href="http://lists.us.dell.com/pipermail/dkms-devel/2005-December/000425.html">http://lists.us.dell.com/pipermail/dkms-devel/2005-December/000425.html</a><br><a href="http://lists.ibiblio.org/pipermail/cc-licenses/2005-December/003059.html">
http://lists.ibiblio.org/pipermail/cc-licenses/2005-December/003059.html</a><br><a href="http://comments.gmane.org/gmane.comp.java.junit.announce/110">http://comments.gmane.org/gmane.comp.java.junit.announce/110</a><br><a href="http://9fans.net/archive/2006/08/6">
http://9fans.net/archive/2006/08/6</a><br><a href="http://9fans.net/archive/2005/03/82">http://9fans.net/archive/2005/03/82</a><br><a href="http://9fans.net/archive/2006/08/146">http://9fans.net/archive/2006/08/146</a><br>
<a href="http://blog.gmane.org/gmane.comp.java.junit.announce">http://blog.gmane.org/gmane.comp.java.junit.announce</a><br><a href="http://9fans.net/archive/2006/05/12">http://9fans.net/archive/2006/05/12</a><br><a href="http://9fans.net/archive/2005/03/97">
http://9fans.net/archive/2005/03/97</a><br><a href="http://9fans.net/archive/2006/05/131">http://9fans.net/archive/2006/05/131</a><br><a href="http://segate.sunet.se/cgi-bin/wa?A2=ind0409&L=handikapp&P=23681">http://segate.sunet.se/cgi-bin/wa?A2=ind0409&L=handikapp&P=23681
</a><br><a href="http://www.tutorials-blog.com/plan9/plan9-26.html">http://www.tutorials-blog.com/plan9/plan9-26.html</a><br><a href="http://9fans.net/archive/2006/05/255">http://9fans.net/archive/2006/05/255</a><br><a href="http://www.arcknowledge.com/gmane.comp.lang.c++.root/2004-09/threads.html">
http://www.arcknowledge.com/gmane.comp.lang.c++.root/2004-09/threads.html</a><br><a href="http://www.webservertalk.com/archive251-2005-10-1236635.html">http://www.webservertalk.com/archive251-2005-10-1236635.html</a><br><a href="http://news.gmane.org/group/gmane.comp.java.junit.announce/last=/force_load=t">
http://news.gmane.org/group/gmane.comp.java.junit.announce/last=/force_load=t</a><br><a href="http://9fans.net/archive/2006/05/274">http://9fans.net/archive/2006/05/274</a><br><a href="http://marc.10east.com/?l=mysap-linux-general&r=1&b=200503&w=1">
http://marc.10east.com/?l=mysap-linux-general&r=1&b=200503&w=1</a><br><a href="http://www.webservertalk.com/archive251-2005-9-1188388.html">http://www.webservertalk.com/archive251-2005-9-1188388.html</a><br><a href="http://www.webservertalk.com/archive251-2004-9.html">
http://www.webservertalk.com/archive251-2004-9.html</a><br><a href="http://www.webservertalk.com/archive251-2005-9-1217604.html">http://www.webservertalk.com/archive251-2005-9-1217604.html</a><br><a href="http://9fans.net/archive/2006/12/141">
http://9fans.net/archive/2006/12/141</a></p>
<p><br> have just patched snort 2.3.3 with ClamAV-2.3.3-1.diff and it doesn't<br>seem to work as advertised. I have the following preprocessor line</p>
<p>preprocessor clamav: ports all !20 !22 !443, toclientonly, dbdir<br>/var/ftp/pub/tools/clamav-devel/share/clamav/, dbreload-time 43200,<br>file-descriptor-mode</p>
<p>I strace'd snort while downloading <a href="http://EICAR.COM">EICAR.COM</a> and the klez virus from a<br>remote HTTP server - the strace shows the daily.* files being loaded -<br>which tells me ClamAV is being enabled - but nothing got detected. I
<br>even ran tcpdump on the same interface and can see the HTTP download -<br>so it's definitely not a wiring issue either.</p>
<p>I can see tonnes of /tmp/snort_inline-clamav-XXXXXX files being created,<br>opened,closed and unlinked - but no virus was detected. The summary that<br>is outputted when snort exits shows zero alerts - and nothing shows up
<br>via the syslog or mysql output processors I use.</p>
<p> </p>