[Snort-users] Nimda specific logging
Andrew R. Baker
andrewb0x29a at ...131...
Wed Oct 10 19:42:06 EDT 2001
By default, your nimba ruletype will be evaluated after all other
ruletypes unless you change the rule evaluation order by adding an "order"
directive in the configuration file. something like:
order: nimda activation dynamic alert log pass
would have your nimda rule evaluated first.
--- Subba Rao <subba9 at ...530...> wrote:
> I am trying to log Nimda specific traffic to a file "nimda.log".
> In snort.conf, I have defined a new ruletype, which is as follows:
> ruletype nimda
> type alert
> output alert_fast: nimda.log
> In my "nimda.rules" file, the rule syntax is as follows:
> nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (.......)
> With this new ruletype, I do not see any nimda specific logging going
> into the "nimda.log". When I run SnortSnarf on the existing "alert"
> their is mention of the "nimda.rules file" to some alerts.
> Could someone point out what I am missing for this new ruletype?
> Thank you in advance.
> Subba Rao
> subba9 at ...530... http://members.home.net/subba9/
> OpenPGP/GPG public key ID CCB7344E
> => Time is relative. Here is a new way to look at time. <=
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
More information about the Snort-users