[Snort-users] rule type declarations type "drop"

justin joseph justinjoseph007 at ...11827...
Tue Nov 24 05:10:14 EST 2009


On Tue, Nov 24, 2009 at 2:50 PM, justin joseph
<justinjoseph007 at ...11827...> wrote:
> On Tue, Nov 24, 2009 at 2:16 PM, justin joseph
> <justinjoseph007 at ...11827...> wrote:
>> Hi
>>
>> I wanted to have a separate log file for action "drop" (inline-mode)
>> and as mentioned in the snort manual
>> tested ruletype declarations.  I changed "drop" to "mydrop" in the
>> rules file and in the snort.conf file gave
>> the below mydrop ruletype declaration:
>>
>> ruletype mydrop
>> {
>>  type drop
>>  output alert_full: /var/log/snort/mydrop.full
>> }
>>
>> This does not work with the below error:
>>
>> ERROR: /etc/snort/snort-ips.conf(702): Invalid type for rule type
>> declaration: drop
>> Fatal Error, Quitting..
>
> I were running snort-2.8.4.  looking at the sources of the latest
> stable release snort-2.8.5.1, figured
> out that type "drop" is now supported.  But while attempting to
> compile and then run 2.8.5.1 'am getting
> the below error:
>
> ERROR: plugbase.c(911) Snort config for parsing is NULL.
> Fatal Error, Quitting..
>
> I have not changed anything other than the snort version from 2.8.4 to
> 2.8.5.1, /etc/snort files
> including the snort.conf is unchanged from 2.8.4.

the library paths in the conf file had to be changed.  Now things work
as expected(in 2.8.5.1 version)
with support for ruletype declaration type "drop".

Thank you
Justin




More information about the Snort-users mailing list