[Snort-users] What is ruletype type good for?

Andrew R. Baker andrewb at ...950...
Sun Jul 7 14:38:01 EDT 2002


carold at ...158... wrote:
> 
> Maybe this will explain it: I completely agree with your statements above.
> Where we differ and what puzzles me is if I define custom rule class (using
> "ruletype" definition) and explicitly declare it as "type alert" then I would
> expect rules of this class to be treated just like a any other alert (with the
> exception of customized alert and log outputs). Namely, I would expect these
> rules to be of the same processing priority as other alerts.
> 
> Since this is not the case and these rules are in fact processed last then
> the _only_ differentiator between declaring this class as "type alert" or
> "type log" is the availability of the alert output. Going back to my original
> wording: "type alert" in "ruletype" will NOT give me true alert rule (with
> customized output) but merely a "last-in-the-food-line" rule with access to alert
> output plugins.
> 
> I see a lot of value for true alert rules with customized output but not
> much value for the current functionality. Why would I need alert output plugins
> for rules that are processed last?
> 
> Perhaps the best long-term approach would be to let each user define both
> output plugins and processing priority for each rule class, as opposed to the
> current limited "-o" functionality.   :-O

I think you have missed one very important config file option that 
should be used with custom rule types.  Add

config order: ruletype1, ruletype2, ruletype3, ...

after you have declared all the rule types in the config file and they 
will get processed in that order.  Be sure to include the standard 
ruletypes also.  By default, new rule types are processed after the 
standard rule types.  There were two goals behind the custom ruletype code:

     1) Allow customized output plugin binding for different alert/log
         rules.

     2) Allow for more control over the order that rules are evaluated.

I wrote the code because I needed to be able to interleave some pass 
rules between two sets of alert rules.

Is there something else you want to be able to do with the custom rule 
types?

-A





More information about the Snort-users mailing list