[Snort-users] Using "ruletype" keyword

Joe McAlerney joey at ...155...
Thu Apr 5 12:48:46 EDT 2001


This is an odd one but I think I know what's going on.  Try removing the
tab (or substituting spaces) before the "type" and "output" keywords in
your ruletype.  If I get some time I'll see if I can provide a patch to
fix that.

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+


Johnathan Corgan wrote:
> 
> I'm trying to create a simple set of custom rules using the "ruletype"
> keyword. Unfortunately, I must have a very basic misunderstanding of how to
> do it, as I can't even get the example from "Writing Snort Rules" to work.
> Here is my snort.conf:
> 
> var INTERNAL xx.xx.xx.xx/xx
> var EXTERNAL !xx.xx.xx.xx/xx
> preprocessor defrag
> preprocessor http_decode: 80
> 
> ruletype suspicious
> {
>         type log
>         output log_tcpdump: suspicious.log
> }
> 
> include vision.rules
> include local.rules
> 
> Snort (1.7) will fail upon startup with this error message (all on one line):
> 
> ERROR line snort.conf (8): Type not defined for rule file declaration:
> suspicious
> 
> Suggestions? I feel like this must be the "Hello, world" of snort configs and
> I can't get it to compile :-)
> 
> Johnathan Corgan
> Atlas Enterprises Internet
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list