[Snort-devel] Proposal: New rule action, "info"

Andrew R. Baker andrewb at ...835...
Thu Nov 1 13:01:05 EST 2001


Matthew Callaway wrote:
> 
> Well, along those lines, do you consider the current "alert" and "log"
> actions to be orthogonal?  It seems to me that "alert" should
> do alerts and "log" should do logs. If you want both, specify both, if
> you only want one or the other, this would allow it.  Right now, you
> can't do this (unless I'm missing something, which is entirely
> possible).
> 

The problem with having alert rules only alert and  log rules only log
is that we use a first match engine.  Thus if this behaviour were
present we would never log the packets associated with an alert. 
Creating a new rule type is a bit overboard, especially since you said
you can use the custom ruletype code to simulate what you want (although
it is a bit of a hack).  Two better ways of handling this case would be
to (A) create a null logging option for custom alert types (I thought
this was there, but i do not remember), or (B) add a nolog rule
modifer.  Neither of these options will make it into version 1.8, but I
will keep the request in mind while work is being done on the next major
version.

-A




More information about the Snort-devel mailing list