[Snort-users] conflict with alert types
elof at ...6680...
Tue Dec 2 09:13:00 EST 2003
On Tue, 2 Dec 2003, Jordi Vidal wrote:
> I set up a rule to alert via SMB but it conflicts with standard
> alert file.
> In my local.rules file I wrote:
> ruletype smbalert
> type alert
> output alert_smb: /etc/snort/smbalerthosts
> smbalert tcp $HOME_NET any <> any any
> (msg:"TESTING";flow:to_server,established;flags: PA;content:"thisisatest";nocase;)
> Then, if I start snort, this rule works fine but no other alerts are
> dumped to /var/log/snort/alert, even the file are not created at startup.
First, I would put all my ruletype declarations directly in snort.conf,
not in the *.rules files.
Secondly, in snort.conf, have you specified any "default" output system?
output alert_fast: snort.alert
output alert_smb: /etc/snort/smbalerthosts
More information about the Snort-users