[Snort-users] Nimda specific logging

Subba Rao subba9 at ...530...
Thu Oct 11 08:44:09 EDT 2001


On  0, "Andrew R. Baker" <andrewb0x29a at ...131...> wrote:
> 
> By default, your nimba ruletype will be evaluated after all other
> ruletypes unless you change the rule evaluation order by adding an "order"
> directive in the configuration file.  something like:
> 
> order: nimda activation dynamic alert log pass
> 
> would have your nimda rule evaluated first.



order: nimda activation dynamic alert log pass

I have added the above line to my snort.conf (now test.conf) and restarted
Snort. The "current" file (Snort startup messages) has Snort cannot
understand the "order" ruletype. The message is as follows:

ERROR line etc/test.conf (421) => Unknown rule type: order:



> 
> --- Subba Rao <subba9 at ...530...> wrote:
> > Hi,
> > 
> > I am trying to log Nimda specific traffic to a file "nimda.log".
> > In snort.conf, I have defined a new ruletype, which is as follows:
> > 
> > ruletype nimda
> > {
> >  type alert
> >  output alert_fast: nimda.log
> > }
> > 
> > In my "nimda.rules" file, the rule syntax is as follows:
> > 
> > nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (.......)
> > 
> > With this new ruletype, I do not see any nimda specific logging going
> > into the "nimda.log". When I run SnortSnarf on the existing "alert"
> > file,
> > their is mention of the "nimda.rules file" to some alerts.
> > 
> > Could someone point out what I am missing for this new ruletype?
> > 

-- 

Subba Rao
subba9 at ...530...                     http://members.home.net/subba9/
OpenPGP/GPG public key ID CCB7344E

 => Time is relative. Here is a new way to look at time. <=
http://www.smcinnovations.com




More information about the Snort-users mailing list