[Snort-users] Re: [Snort-devel] variable substitution in ruletype definition
cpw at ...440...
Sat Apr 7 19:05:11 EDT 2001
It works like a champ. Thanks.
-*> Snort! <*-
Version 1.7.1-beta3 (Build 10)
By Martin Roesch (roesch at ...66..., www.snort.org)
Here was my test:
var SYSFACILITY LOG_LOCAL5
var SYSPRIORITY LOG_DEBUG
var SYSOPTIONS LOG_PERROR
output alert_syslog: $SYSFACILITY $SYSPRIORITY $SYSOPTIONS
redalert udp any any > $INTERNAL any (msg: "REDALERT";)
I set INTERNAL to my host, and started snort. Here is an entry that
showed up in my syslog file:
Apr 7 16:34:27 linuxbox snort: REDALERT: 172.16.7.6:63912 -> 172.16.114.97:1
Apr 7 16:34:52 linuxbox last message repeated 2 times
Here is my syslog.conf entry:
And, I remembered to:
and restart the syslog daemon.
And, to top it all off the LOG_PERROR did as advertised and sent the same
message to STDERR.
snort: REDALERT: 172.16.7.6:63912 -> 172.16.114.97:1
I'd say you have a winner in the "lets make up a special type of alert"
I suggest that anyone trying this out for the first time, must verify the
criteria in the special rule (in mycase any any > mysystem any) would trigger
a normal alert. I just spent a few hours going down a rathole cause:
1. My bpf filter applied to packets before snort sees them was only letting
in packets addressed to a different network than my host's network!
2. My INTERNAL variable was not set to a value that would trigger a normal
3. My brain was in the south of France.
On Fri, Apr 06, 2001 at 10:53:26PM -0400, Martin Roesch wrote:
> Did you check it and verify that it's working, it seems to be ok here...
Phil Wood, cpw at ...440...
More information about the Snort-users