[Snort-devel] Proposal: New rule action, "info"

Matthew Callaway matt at ...807...
Thu Nov 1 19:32:02 EST 2001


Thanks!

Just a note on semantics though.  In discussing "logging" and
"alerting", I have found it a bit confusing.  Does "logging" mean
"logging the alert string to syslog" or "logging the packet"?  Well, we
all know that we mean packet logging, but it *is* confusing.  You might
edit the "Purpose" string in the spo_log_null plugin to say:

 * This module is a NULL placeholder for people that want to turn off
 * packet logging for whatever reason, while still sending alerts to
 * the system logging facility.


Just a suggestion.

Matt


On Thu, 1 Nov 2001, Martin Roesch wrote:

> Ok, I just checked in spo_log_null, so you can now do this:
>
> ruletype info {
> 	type alert
> 	output alert_fast: info.alert
> 	output log_null
> }
>
> and not have the packets logged.  It's a hack, but it's a prettier hack.
> :)
>
>      -Marty
>
> Matthew Callaway wrote:
> >
> > In that case, I'll just hold off until development of 2.0 gets underway,
> > and stick with my hack for now.
> >
> > Matt
> >
> > On Thu, 1 Nov 2001, Martin Roesch wrote:
> >
> > > That said, we're finally ready to begin development on Snort 2.0 and I
> > > expect to do so starting in December.  Snort 2.0 will be a lot cleaner
> > > than the current design, and when it's ready I think people will be
> > > happy with the overall level of flexibility and power offered by the
> > > second generation of the system.
>
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>





More information about the Snort-devel mailing list