[Snort-users] What is ruletype type good for?

carold at ...158... carold at ...158...
Fri Jul 5 10:20:02 EDT 2002


> On Fri, 5 Jul 2002 carold at ...158... wrote:
> 
> > I am unable to find out what is the functional significance of "type
> alert"
> > or "type log" in "ruletype". My assumption was that it sets processing
> > priority for rules of this type but this is not the case. Even if I have
> > "ruletype myalert" of "type alert" Snort will process these rules as
> > alert->pass->log->myalert, which does not make sense in my mind.
> >
> > Could anybody clarify?
> 
> Sure.  From:
> 
> 	http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.1
> 
> [...snip...]
> 
> 	1.alert - generate an alert using the selected alert method, and then
> log the packet
> 
> 	2.log - log the packet
> 
> [...snip...]
> 
> That's the functional difference.  One logs only (log) and one 'rings a
> bell'
> and logs.

Assuming I got this right, the sole meaning is that "type alert" in
"ruletype" _enables_ (or _allows for_) output alert_<whatever> options? Namely, the
meaning is _not_: "this is an alert rule".

> Now as for why the rule order is alert->pass->log->myalert...
> 
> This depends on how the rule is organized off of the tree.  It's not so
> much
> priorty, as it is a layout.  First the alerts are applied (most important
> things first), then skipping things, then saving things, then 'user
> defined'
> since it might take longer to do them.
> 
> I've got a url I'll have to dig up for a better explanation than that...
> 
> Hope that helps some!
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net

Thank you for your reply!

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list