Snort mailing list archives
Rule Question
From: Edwin Covert <ecovert () ICSCORP com>
Date: Fri, 11 May 2001 09:50:37 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I have the following rule I have added: alert tcp $MACHINE_NAME any <> any any (msg:"Activity on User's Machine"; logto:"UserLOG.txt";) This rule was designed to monitor all traffic from a particular user's machine. I have already added a var MACHINE_NAME to the beginning of my rules list. My question is the logto: function. I took that bit of info from the "Writing Snort Rules" page off of the website. Howvever, I am running Snort 1.6 on a Win32 machine. I call Snort from a batch file that reads: %windir%\snort\win32-prj\release\snort.exe -l snort_log -c rules.snort -A full -v. Do I need to add anything else to my rule to ensure this alert gets logged to the specific file? Thanks! Ed Edwin Covert, CISSP, GCIH Information Assurance ________________________________________ Integrated Communication Solutions/Government Services 5300 Westview Drive, Suite 401 Frederick, Maryland 21703 Phone: 301-695-8800, x256 Fax: 301-695-8877 Cell: 301-514-1334 http://www.icscorp.com NOTE: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Encryption makes the world safer iQA/AwUBOvvt7jIjXbhrEgfyEQKryQCeOR/xlC9aMvoTIbfG/0fWzTN06mAAoOmw WDvjLZWYlJHBq8BEOCIY/2IX =vaRH -----END PGP SIGNATURE-----
Attachment:
PGPexch.rtf.asc
Description:
Current thread:
- Rule Question Edwin Covert (May 11)