[Snort-users] Using "ruletype" keyword

Joe McAlerney joey at ...155...
Thu Apr 5 13:25:31 EDT 2001


It looks like this was already fixed in the CVS version.  Try that out.

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

Joe McAlerney wrote:
> 
> This is an odd one but I think I know what's going on.  Try removing the
> tab (or substituting spaces) before the "type" and "output" keywords in
> your ruletype.  If I get some time I'll see if I can provide a patch to
> fix that.
> 
> -Joe M.
> 
> --
> |   Joe McAlerney     joey at ...155...   |
> | Silicon Defense - Technical Support for Snort |
> |       http://www.silicondefense.com/          |
> +--                                           --+
> 
> Johnathan Corgan wrote:
> >
> > I'm trying to create a simple set of custom rules using the "ruletype"
> > keyword. Unfortunately, I must have a very basic misunderstanding of how to
> > do it, as I can't even get the example from "Writing Snort Rules" to work.
> > Here is my snort.conf:
> >
> > var INTERNAL xx.xx.xx.xx/xx
> > var EXTERNAL !xx.xx.xx.xx/xx
> > preprocessor defrag
> > preprocessor http_decode: 80
> >
> > ruletype suspicious
> > {
> >         type log
> >         output log_tcpdump: suspicious.log
> > }
> >
> > include vision.rules
> > include local.rules
> >
> > Snort (1.7) will fail upon startup with this error message (all on one line):
> >
> > ERROR line snort.conf (8): Type not defined for rule file declaration:
> > suspicious
> >
> > Suggestions? I feel like this must be the "Hello, world" of snort configs and
> > I can't get it to compile :-)
> >
> > Johnathan Corgan
> > Atlas Enterprises Internet
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list