[Snort-users] rule type declarations type "drop"

Todd Wease twease at ...1935...
Tue Nov 24 05:23:36 EST 2009


On 11/24/2009 04:20 AM, justin joseph wrote:
> On Tue, Nov 24, 2009 at 2:16 PM, justin joseph
> <justinjoseph007 at ...11827...>  wrote:
>> Hi
>>
>> I wanted to have a separate log file for action "drop" (inline-mode)
>> and as mentioned in the snort manual
>> tested ruletype declarations.  I changed "drop" to "mydrop" in the
>> rules file and in the snort.conf file gave
>> the below mydrop ruletype declaration:
>>
>> ruletype mydrop
>> {
>>   type drop
>>   output alert_full: /var/log/snort/mydrop.full
>> }
>>
>> This does not work with the below error:
>>
>> ERROR: /etc/snort/snort-ips.conf(702): Invalid type for rule type
>> declaration: drop
>> Fatal Error, Quitting..
>
> I were running snort-2.8.4.  looking at the sources of the latest
> stable release snort-2.8.5.1, figured
> out that type "drop" is now supported.  But while attempting to
> compile and then run 2.8.5.1 'am getting
> the below error:
>
> ERROR: plugbase.c(911) Snort config for parsing is NULL.
> Fatal Error, Quitting..
>
> I have not changed anything other than the snort version from 2.8.4 to
> 2.8.5.1, /etc/snort files
> including the snort.conf is unchanged from 2.8.4.

This works fine for me.  However, I get the same error if I use a 
2.8.5.1 snort binary with 2.8.4.1 dynamic libraries.  Make sure your 
snort.conf is now pointing to the 2.8.5.1 dynamic libraries you installed.

>
>>
>> However, this works if the type is "alert", why does the ruletype not
>> support type "drop"?
>>
>> Is there any other mechanism to distinguish between logs for drops and
>> alert rules?  Some of my rules are drop
>> and others alert while running in in-line mode.
>>
>> Thank you
>> Justin
>>





More information about the Snort-users mailing list