[Snort-users] What is ruletype type good for?

Erek Adams erek at ...577...
Fri Jul 5 10:00:07 EDT 2002

On Fri, 5 Jul 2002 carold at ...158... wrote:

> I am unable to find out what is the functional significance of "type alert"
> or "type log" in "ruletype". My assumption was that it sets processing
> priority for rules of this type but this is not the case. Even if I have
> "ruletype myalert" of "type alert" Snort will process these rules as
> alert->pass->log->myalert, which does not make sense in my mind.
> Could anybody clarify?

Sure.  From:



	1.alert - generate an alert using the selected alert method, and then
log the packet

	2.log - log the packet


That's the functional difference.  One logs only (log) and one 'rings a bell'
and logs.

Now as for why the rule order is alert->pass->log->myalert...

This depends on how the rule is organized off of the tree.  It's not so much
priorty, as it is a layout.  First the alerts are applied (most important
things first), then skipping things, then saving things, then 'user defined'
since it might take longer to do them.

I've got a url I'll have to dig up for a better explanation than that...

Hope that helps some!

Erek Adams

More information about the Snort-users mailing list