[Snort-devel] Proposal: New rule action, "info"
Andrew R. Baker
andrewb at ...835...
Thu Nov 1 13:01:05 EST 2001
Matthew Callaway wrote:
> Well, along those lines, do you consider the current "alert" and "log"
> actions to be orthogonal? It seems to me that "alert" should
> do alerts and "log" should do logs. If you want both, specify both, if
> you only want one or the other, this would allow it. Right now, you
> can't do this (unless I'm missing something, which is entirely
The problem with having alert rules only alert and log rules only log
is that we use a first match engine. Thus if this behaviour were
present we would never log the packets associated with an alert.
Creating a new rule type is a bit overboard, especially since you said
you can use the custom ruletype code to simulate what you want (although
it is a bit of a hack). Two better ways of handling this case would be
to (A) create a null logging option for custom alert types (I thought
this was there, but i do not remember), or (B) add a nolog rule
modifer. Neither of these options will make it into version 1.8, but I
will keep the request in mind while work is being done on the next major
More information about the Snort-devel