[Snort-users] ruletype bug?

John_Delisle at ...1523... John_Delisle at ...1523...
Mon Mar 19 09:06:31 EST 2001

I think I fell into both of those categories!! I'll re-write my definitions
and try again, thanks!

John Delisle
Corporate Technology
Ceridian Canada Ltd

                    "Andrew R.                                                                                        
                    Baker"                  To:     John_Delisle at ...1523...                                          
                    <andrewb at ...1607...        cc:     snort-users at lists.sourceforge.net                                 
                    om>                     Subject:     Re: [Snort-users] ruletype bug?                              
                    Sent by:                                                                                          
                    andrewb at ...1608...                                                                                  
                    2001/03/17 02:05                                                                                  

There may be two seperate issues here.

First, the ruletype parsing code does not like leading tabs in the
ruletype definitions (I cannot tell if you
have these or not.)

Second, you cannot declare a new ruletype that begins with the name of
an existing ruletype (ie no new rule types can
begin with "alert" since it is already a defined ruletype).  This also
comes from how the parser works.

I am working on patches to correct both of these problems.

Try changing the "alertsyslog" ruletype to something else (like
"syslogalert") and removing any leading tabs in
the ruletype definitions.  That should correct the problem of snort not
starting properly.

Also, defining an alert output plugin in a logging ruletype will not do
anything since logging ruletypes only
use the logging functions.  You should either change the onlylog
ruletype to type alert or bind a logging
output plugin to it.


John_Delisle at ...1523... wrote:
> Hi everyone,
> I'm trying to build a conf file that will have two types of alerts, one
> called onlylog and one called alertsyslog.  They should both do full
> logging, but alertsyslog should also send messages to syslog.
> Here are my ruletype definitions:
> ruletype onlylog
> {
>    type log
>    output alert_full: /tmp/onlylog
> }
> ruletype alertsyslog
> {
>    type alert
>    output alert_syslog: LOG_AUTH LOG_ALERT
>    output alert_full: /tmp/alertsyslog
> }
> I've changed all my rules to use these two ruletypes.  When I start
> it just dies with no errors.  I'm using the following command line:
> snort -c /var/log/snort/rules/rules.conf -d -D -e -i eth1
> John Delisle
> Corporate Technology
> Ceridian Canada Ltd
> 204-975-5909
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

More information about the Snort-users mailing list