[Snort-users] rule type declarations type "drop"

justin joseph justinjoseph007 at ...11827...
Tue Nov 24 04:20:55 EST 2009


On Tue, Nov 24, 2009 at 2:16 PM, justin joseph
<justinjoseph007 at ...11827...> wrote:
> Hi
>
> I wanted to have a separate log file for action "drop" (inline-mode)
> and as mentioned in the snort manual
> tested ruletype declarations.  I changed "drop" to "mydrop" in the
> rules file and in the snort.conf file gave
> the below mydrop ruletype declaration:
>
> ruletype mydrop
> {
>  type drop
>  output alert_full: /var/log/snort/mydrop.full
> }
>
> This does not work with the below error:
>
> ERROR: /etc/snort/snort-ips.conf(702): Invalid type for rule type
> declaration: drop
> Fatal Error, Quitting..

I were running snort-2.8.4.  looking at the sources of the latest
stable release snort-2.8.5.1, figured
out that type "drop" is now supported.  But while attempting to
compile and then run 2.8.5.1 'am getting
the below error:

ERROR: plugbase.c(911) Snort config for parsing is NULL.
Fatal Error, Quitting..

I have not changed anything other than the snort version from 2.8.4 to
2.8.5.1, /etc/snort files
including the snort.conf is unchanged from 2.8.4.

>
> However, this works if the type is "alert", why does the ruletype not
> support type "drop"?
>
> Is there any other mechanism to distinguish between logs for drops and
> alert rules?  Some of my rules are drop
> and others alert while running in in-line mode.
>
> Thank you
> Justin
>




More information about the Snort-users mailing list