[Snort-users] Re: [Snort-devel] variable substitution in ruletype definition

Phil Wood cpw at ...440...
Sat Apr 7 19:05:11 EDT 2001


It works like a champ.  Thanks.  

Using:

-*> Snort! <*-
Version 1.7.1-beta3 (Build 10)
By Martin Roesch (roesch at ...66..., www.snort.org)

Here was my test:

  var SYSFACILITY LOG_LOCAL5
  var SYSPRIORITY LOG_DEBUG
  var SYSOPTIONS LOG_PERROR
  ...
  ruletype redalert
  {
    type alert
    output alert_syslog: $SYSFACILITY $SYSPRIORITY $SYSOPTIONS
  }
  ...
  redalert udp any any > $INTERNAL any (msg: "REDALERT";)

I set INTERNAL to my host, and started snort.  Here is an entry that
showed up in my syslog file:

  Apr 7 16:34:27 linuxbox snort: REDALERT: 172.16.7.6:63912 -> 172.16.114.97:1
  Apr 7 16:34:52 linuxbox last message repeated 2 times

Here is my syslog.conf entry:

  local5.*                /var/log/snort.log

And, I remembered to:

  touch /var/log/snort.log
  
and restart the syslog daemon.

And, to top it all off the LOG_PERROR did as advertised and sent the same
message to STDERR.

  snort: REDALERT: 172.16.7.6:63912 -> 172.16.114.97:1

I'd say you have a winner in the "lets make up a special type of alert"
department.

I suggest that anyone trying this out for the first time, must verify the
criteria in the special rule (in mycase any any > mysystem any) would trigger
a normal alert.  I just spent a few hours going down a rathole cause:

  1. My bpf filter applied to packets before snort sees them was only letting
     in packets addressed to a different network than my host's network!

  2. My INTERNAL variable was not set to a value that would trigger a normal
     alert.

  3. My brain was in the south of France.

On Fri, Apr 06, 2001 at 10:53:26PM -0400, Martin Roesch wrote:
> Did you check it and verify that it's working, it seems to be ok here...
> 
>     -Marty
> 
-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list