[Snort-users] conflict with alert types

Martin Olsson elof at ...6680...
Tue Dec 2 09:13:00 EST 2003


On Tue, 2 Dec 2003, Jordi Vidal wrote:
> 	I set up a rule to alert via SMB but it conflicts with standard
> alert file.
> 	In my local.rules file I wrote:
> ---
> ruletype smbalert
> {
>         type alert
>         output alert_smb: /etc/snort/smbalerthosts
> }
> smbalert tcp $HOME_NET any <> any any
> (msg:"TESTING";flow:to_server,established;flags: PA;content:"thisisatest";nocase;)
> ---
> Then, if I start snort, this rule works fine but no other alerts are
> dumped to /var/log/snort/alert, even the file are not created at startup.

First, I would put all my ruletype declarations directly in snort.conf,
not in the *.rules files.

Secondly, in snort.conf, have you specified any "default" output system?
Like this:

snort.conf:
...
...
output alert_fast: snort.alert
...
...
ruletype smbalert
{
        type alert
        output alert_smb: /etc/snort/smbalerthosts
}
...
...

/Martin





More information about the Snort-users mailing list