[Snort-users] Nimda specific logging

Subba Rao subba9 at ...530...
Thu Oct 11 11:19:16 EDT 2001


On  0, "Andrew R. Baker" <andrewb0x29a at ...131...> wrote:
> 
> --- Subba Rao <subba9 at ...530...> wrote:
> > 
> > 
> > order: nimda activation dynamic alert log pass
> > 
> > I have added the above line to my snort.conf (now test.conf) and
> > restarted
> > Snort. The "current" file (Snort startup messages) has Snort cannot
> > understand the "order" ruletype. The message is as follows:
> > 
> > ERROR line etc/test.conf (421) => Unknown rule type: order:
> > 
> 
> my fault, that should be
> 
> config order: nimda activation dynamic alert log pass
> 

Thank you for replying. The above line did work.

The defined ruletype nimda still does not create the file
"nimda.log"

ETC/SNORT.CONF

ruletype nimda
{
 type alert
 output alert_fast: nimda.log
}

The ETC/NIMDA.RULES file contains:

nimda tcp $EXTERNAL_NET andy -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
/_vti_bin/access";flags: A+; uricontent:"/_vti_bin/"; nocase; \
classtype:bad-unknown; sid:1288; rev:1;)
.
.

Why is the nimda.log file not being created?

-- 

Subba Rao
subba9 at ...530...                     http://members.home.net/subba9/
OpenPGP/GPG public key ID CCB7344E

 => Time is relative. Here is a new way to look at time. <=
http://www.smcinnovations.com




More information about the Snort-users mailing list