[Snort-users] conflict with alert types

Jordi Vidal jordivi at ...10666...
Tue Dec 2 10:26:01 EST 2003


It worked!

	I didnt had a default alert definition. 

Thank you!
-- 
Jordi

http://www.wtransnet.com
Dpto. Técnico



On Tue, 2 Dec 2003, Martin Olsson wrote:

> 
> On Tue, 2 Dec 2003, Jordi Vidal wrote:
> > 	I set up a rule to alert via SMB but it conflicts with standard
> > alert file.
> > 	In my local.rules file I wrote:
> > ---
> > ruletype smbalert
> > {
> >         type alert
> >         output alert_smb: /etc/snort/smbalerthosts
> > }
> > smbalert tcp $HOME_NET any <> any any
> > (msg:"TESTING";flow:to_server,established;flags: PA;content:"thisisatest";nocase;)
> > ---
> > Then, if I start snort, this rule works fine but no other alerts are
> > dumped to /var/log/snort/alert, even the file are not created at startup.
> 
> First, I would put all my ruletype declarations directly in snort.conf,
> not in the *.rules files.
> 
> Secondly, in snort.conf, have you specified any "default" output system?
> Like this:
> 
> snort.conf:
> ...
> ...
> output alert_fast: snort.alert
> ...
> ...
> ruletype smbalert
> {
>         type alert
>         output alert_smb: /etc/snort/smbalerthosts
> }
> ...
> ...
> 
> /Martin
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN's Audience Survey.
> Help shape OSDN's sites and tell us what you think. Take this
> five minute survey and you could win a $250 Gift Certificate.
> http://www.wrgsurveys.com/2003/osdntech03.php?site=8
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list