[Snort-users] ruletype directive doesn't work: why?

Anton Chuvakin anton at ...5376...
Tue May 7 06:42:11 EDT 2002


Hello,

Usually, its pretty annoying when people post an obscure chunk of the
config file and ask 'why doesn't it work?', right?

But sometimes, it seems to be the only way to overcome sm major obstacle.
Like this, for example:

---------
#custom rule to only DB incoming!
ruletype incoming
{
   type log output
   output database: log, mysql, user=snort dbname=snort_db host=localhost
}

incoming ip any any -> 1.2.3.0/24 any (msg: "Snort incoming";)
----------
does nothing!!

Context:

Linux 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown
snort-1.8.6, built with mysql support (LOGS to mysql just fine if 'output
database:...' is present in config file, BUT not in ruletype).

Any ideas? The purpose of the above is to only log incoming packets coming
to the network, but not outgoing.

Thanks a lot for ANY hints!

Best,
-- 
     Anton A. Chuvakin, Ph.D.
     http://www.chuvakin.org
   http://www.info-secure.org





More information about the Snort-users mailing list