[Snort-users] putting in the Snort rules and dump results in Syslogd

Lee Clemens snort at ...13080...
Mon Mar 14 23:01:30 EST 2005

First add the rule to your local.rules file (in the directory where you
other rules files are and as noted in your snort.conf file as RULE_PATH).
With "alert" in front of the rule, it should be displayed in your Syslog
(depending on the options you supplied when running or installing Snort),
"log" would only add the packet to your log path.

You'll want to give it a sid: value too, local rules start at 1000000, so if
it's your first local rule, sid:1000000 should work just fine. Then restart
Snort and it should be good. 

As far as testing it is concerned, the only way I know of is to generate
that traffic over your network (probably temporarily changing $EXTERNAL_NET
to $HOME_NET so it would still be valid).


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of mr leokenzie
Sent: Tuesday, March 15, 2005 1:38 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] putting in the Snort rules and dump results in

Where do I put the Snort rules for example:
alert tcp $EXTERNAL_NET any -> $HOME_NET 139
(msg: "DOS SMBdie attack"; flags: A+; content:"|57724c65680042313342577a|";)
and check whether the SNORT rule is works?
How can I set it up so that the results will be displayed in the Syslogd.

Express yourself instantly with MSN Messenger! Download today - it's FREE! 

SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list