[Snort-users] Snort 2.2.0 ruletype not working

Sudom, Don dsudom1 at ...12658...
Fri Feb 25 05:54:14 EST 2005


Hi,

I am unsuccessfully trying to get the ruletype method to work as
follows:

ruletype auditlog
{
  type alert
  output alert_syslog:  LOG_AUTH LOG_INFO
  output log_null
}

auditlog icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX";
itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|";
depth:32;)

I have disabled the corresponding alert rule in the icmp-info.rules
file.  If I reenable the rule in the icmp-info.rules file it is picked
up as an alert (as expected).  If I disable in icmp-info.rules and
enable in local.rules no log is generated.

Is this a bug, as I cannot make any of the output plugins work within
ruletype.

Regards,
Don
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050225/f16e2def/attachment.html>


More information about the Snort-users mailing list