[Snort-users] Using "ruletype" keyword

Johnathan Corgan jcorgan at ...1638...
Wed Apr 4 23:14:50 EDT 2001


I'm trying to create a simple set of custom rules using the "ruletype" 
keyword. Unfortunately, I must have a very basic misunderstanding of how to 
do it, as I can't even get the example from "Writing Snort Rules" to work. 
Here is my snort.conf:

var INTERNAL xx.xx.xx.xx/xx
var EXTERNAL !xx.xx.xx.xx/xx
preprocessor defrag
preprocessor http_decode: 80

ruletype suspicious
{
	type log
	output log_tcpdump: suspicious.log
}

include vision.rules
include local.rules

Snort (1.7) will fail upon startup with this error message (all on one line):

ERROR line snort.conf (8): Type not defined for rule file declaration: 
suspicious

Suggestions? I feel like this must be the "Hello, world" of snort configs and 
I can't get it to compile :-)

Johnathan Corgan
Atlas Enterprises Internet




More information about the Snort-users mailing list