[Snort-devel] Proposal: New rule action, "info"

Matthew Callaway matt at ...807...
Thu Nov 1 10:34:08 EST 2001


I would like to propose a new default rule action.

In addition to alert, log, pass, activate, and dynamic, I would suggest
an action "info".  This action would generate the alert, but not log
the packet.

Currently, you can trick snort into doing this by defining an activate
rule that does not activate anything:

ruletype info {
  type activate
}

You would use this when you want to know what's going on on the network,
but you know that the packets are harmless, so you don't need to log
them.  Eg. I label some apache rules as "info" because I want to know
when exploits are attempted, but I know my apache has been patched
against them.  This gathers the info without logging the packet.

Opinions?

Matt





More information about the Snort-devel mailing list