[Snort-users] 2.1.3RC1 event_queue and custom ruletypes/log rules?
jh at ...1935...
Mon May 3 08:52:02 EDT 2004
On Wed, Apr 28, Erik Fichtner wrote:
> Are custom rule types not part of the new event_queue?
> (which, by the way, I think I like.)
Thanks for trying out the new event queue mechanism!
> does not produce expected behavior.. the "sample alert" packets do not
> appear in traffic.log, only in alerts.log. So, I think to myself
> 'self.. perhaps it only works on "alert" types.' so I make "traffic"
> an "alert" type (with output alert_fast: /dev/null (YUCK!)).. same
> behavior. So.... help?
Currently how the event queue works is that depending on the order of
the alert types, we log multiple events of the highest ordered alert
type. So, for example -
if you have pass->alert->log order, and you alert on two "pass" rules,
three "alerts," one "log" we only will log the two pass rules. This is
because if you have a "pass" rule you don't want to see alerts, so we
only log the highest ordered alert type.
So, for your example, if you ordered the "traffic" alert type first
you should see the "traffic" event but not the "alert" event.
Your example brings up a good point - do we want to allow multiple
logging of different alert types while keeping in mind there are some
alert types we don't want to log because of a lower priority ordering...
We'll look into this - feedback welcomed.
More information about the Snort-users