[Snort-users] What is ruletype type good for?
Andrew R. Baker
andrewb at ...950...
Sun Jul 7 14:38:01 EDT 2002
carold at ...158... wrote:
> Maybe this will explain it: I completely agree with your statements above.
> Where we differ and what puzzles me is if I define custom rule class (using
> "ruletype" definition) and explicitly declare it as "type alert" then I would
> expect rules of this class to be treated just like a any other alert (with the
> exception of customized alert and log outputs). Namely, I would expect these
> rules to be of the same processing priority as other alerts.
> Since this is not the case and these rules are in fact processed last then
> the _only_ differentiator between declaring this class as "type alert" or
> "type log" is the availability of the alert output. Going back to my original
> wording: "type alert" in "ruletype" will NOT give me true alert rule (with
> customized output) but merely a "last-in-the-food-line" rule with access to alert
> output plugins.
> I see a lot of value for true alert rules with customized output but not
> much value for the current functionality. Why would I need alert output plugins
> for rules that are processed last?
> Perhaps the best long-term approach would be to let each user define both
> output plugins and processing priority for each rule class, as opposed to the
> current limited "-o" functionality. :-O
I think you have missed one very important config file option that
should be used with custom rule types. Add
config order: ruletype1, ruletype2, ruletype3, ...
after you have declared all the rule types in the config file and they
will get processed in that order. Be sure to include the standard
ruletypes also. By default, new rule types are processed after the
standard rule types. There were two goals behind the custom ruletype code:
1) Allow customized output plugin binding for different alert/log
2) Allow for more control over the order that rules are evaluated.
I wrote the code because I needed to be able to interleave some pass
rules between two sets of alert rules.
Is there something else you want to be able to do with the custom rule
More information about the Snort-users