[Snort-users] rule type declarations type "drop"

justin joseph justinjoseph007 at ...11827...
Tue Nov 24 03:46:58 EST 2009


I wanted to have a separate log file for action "drop" (inline-mode)
and as mentioned in the snort manual
tested ruletype declarations.  I changed "drop" to "mydrop" in the
rules file and in the snort.conf file gave
the below mydrop ruletype declaration:

ruletype mydrop
  type drop
  output alert_full: /var/log/snort/mydrop.full

This does not work with the below error:

ERROR: /etc/snort/snort-ips.conf(702): Invalid type for rule type
declaration: drop
Fatal Error, Quitting..

However, this works if the type is "alert", why does the ruletype not
support type "drop"?

Is there any other mechanism to distinguish between logs for drops and
alert rules?  Some of my rules are drop
and others alert while running in in-line mode.

Thank you

More information about the Snort-users mailing list