[Snort-users] conflict with alert types

Jordi Vidal jordivi at ...10666...
Tue Dec 2 08:01:02 EST 2003


	I've just installed snort and playing with config files. I have a 
question I hope someone can tell me what I'm doing wrong.

	I set up a rule to alert via SMB but it conflicts with standard 
alert file.

	In my local.rules file I wrote:

ruletype smbalert 
        type alert
        output alert_smb: /etc/snort/smbalerthosts
smbalert tcp $HOME_NET any <> any any 
(msg:"TESTING";flow:to_server,established;flags: PA;content:"thisisatest";nocase;) 

Then, if I start snort, this rule works fine but no other alerts are 
dumped to /var/log/snort/alert, even the file are not created at startup.

If I launch snort with "-A full" the alert file works fine but the rule 
for SMB alerts dont.

I start snort like this:
/usr/local/snort/bin/snort -c /etc/snort/snort.conf -b -l /var/log/snort -D

snort is version 2.0.5 and the last rulesets,

Kind Regards

