[Snort-users] ruletype bug?
Andrew R. Baker
andrewb at ...1150...
Sat Mar 17 03:05:47 EST 2001
There may be two seperate issues here.
First, the ruletype parsing code does not like leading tabs in the
ruletype definitions (I cannot tell if you
have these or not.)
Second, you cannot declare a new ruletype that begins with the name of
an existing ruletype (ie no new rule types can
begin with "alert" since it is already a defined ruletype). This also
comes from how the parser works.
I am working on patches to correct both of these problems.
Try changing the "alertsyslog" ruletype to something else (like
"syslogalert") and removing any leading tabs in
the ruletype definitions. That should correct the problem of snort not
Also, defining an alert output plugin in a logging ruletype will not do
anything since logging ruletypes only
use the logging functions. You should either change the onlylog
ruletype to type alert or bind a logging
output plugin to it.
John_Delisle at ...1523... wrote:
> Hi everyone,
> I'm trying to build a conf file that will have two types of alerts, one
> called onlylog and one called alertsyslog. They should both do full
> logging, but alertsyslog should also send messages to syslog.
> Here are my ruletype definitions:
> ruletype onlylog
> type log
> output alert_full: /tmp/onlylog
> ruletype alertsyslog
> type alert
> output alert_syslog: LOG_AUTH LOG_ALERT
> output alert_full: /tmp/alertsyslog
> I've changed all my rules to use these two ruletypes. When I start snort,
> it just dies with no errors. I'm using the following command line:
> snort -c /var/log/snort/rules/rules.conf -d -D -e -i eth1
> John Delisle
> Corporate Technology
> Ceridian Canada Ltd
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
More information about the Snort-users