[Snort-users] What is ruletype type good for?
erek at ...577...
Fri Jul 5 10:00:07 EDT 2002
On Fri, 5 Jul 2002 carold at ...158... wrote:
> I am unable to find out what is the functional significance of "type alert"
> or "type log" in "ruletype". My assumption was that it sets processing
> priority for rules of this type but this is not the case. Even if I have
> "ruletype myalert" of "type alert" Snort will process these rules as
> alert->pass->log->myalert, which does not make sense in my mind.
> Could anybody clarify?
1.alert - generate an alert using the selected alert method, and then
log the packet
2.log - log the packet
That's the functional difference. One logs only (log) and one 'rings a bell'
Now as for why the rule order is alert->pass->log->myalert...
This depends on how the rule is organized off of the tree. It's not so much
priorty, as it is a layout. First the alerts are applied (most important
things first), then skipping things, then saving things, then 'user defined'
since it might take longer to do them.
I've got a url I'll have to dig up for a better explanation than that...
Hope that helps some!
More information about the Snort-users