[Snort-devel] Re: Snort-devel digest, Vol 1 #1544 - 1 msg

Alejandro Cabrera alex at ...2771...
Mon Jun 6 06:22:54 EDT 2005

I was debugging my plugin and not found any error. But I think that the 
error is in another part. I share this info with you beacuse maybe you 
cant help me.
That is independient of my plugin for this I think that my error are in 
the configuration, but I do all like tell the docs.

1-) I create a ruletype like this:
ruletype exec
 type alert
 output alert_fast: snort.fast
It tell to snort that for the rule type exec, logged the alert, in 
snort.fast  file in the  log directory.

2-) And change this rule ( swap alert by exec --> the new ruletype )

exec icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP 
Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; 
sid:499; rev:4;)

3-) I run the snort the like this:
snort -dev -c etc/snort.conf -l /snort/ -h

4-) Later I send to a ICMP packet with size 1000 for that 
snort detect the "ICMP Large ICMP Packet" --> the rule I changed before, 
like this:
ping -c 1 -s 1000

Well in the resume, "he" tell me that "he" found 5 ALERT and LOGGED 5, 
but when I see in the /snort/ not exist any file with the alerts.
I try to run the snort in the like this:

snort -dev -c etc/snort.conf -l /snort/ -h -A fast

And "he" log in /snort/alerts 5 alerts, anything the "ICMP Large ICMP 
Packet", he create the /snort/snort.fast but he don't write it anything 
alert, the bye is in 0 bytes.
If I delete the exec ruletype and run the snort how before, he logged 
into /snort/alerts the "ICMP Large ICMP Packet".
So I think that I did something wrong I was reading some docs about 
snort config but I don't see any error. If you have any idea about this, 
please help me,
thx vry mch
PD: Excuse me my bad english.

