[Snort-users] ruletype question

Brett.Gillett at ...6663... Brett.Gillett at ...6663...
Wed Aug 21 10:06:03 EDT 2002


Hey everyone,

I have a question about creating custom ruletypes... I have created a
custom ruletype called 'tbt' -- here it is...

ruletype tbt {
        type alert
        output log_tcpdump: tbt.log
        output alert_full: tbt_full
        output alert_fast: tbt_fast
}

My regular snort configuration looks like this...

<snip>
output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: snort.log
output database: log, mysql, user=XXXXXX password=XXXXXXX dbname=snort
host=localhost
# output database: log, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output xml: log, file=/var/log/snortxml
output alert_full: /var/log/snort/snort_full
output alert_fast: /var/log/snort/snort_fast
output alert_full: snort_full
output alert_fast: snort_fast
</snip>

Here's my rule

tbt ip a.b.c.0/24 any -> $INTERNAL any (msg:
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx";)

Here's the question... When I start up snort, it does create the tbt_full
and tbt_fast files, but it doesn't create the tbt-XXX.log binary file.  The
idea is to have a regular snort binary file will all the information and
the tbt binary file will have only specific information...

I would assume that this is possible it's just the way I have it
configured...

Any suggestions would be appreciated.


TIA,

Brett





More information about the Snort-users mailing list