Rule Question

[Edwin Covert <ecovert () ICSCORP com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,
I have the following rule I have added:

alert tcp $MACHINE_NAME any <> any any (msg:"Activity on User's
Machine"; logto:"UserLOG.txt";)

This rule was designed to monitor all traffic from a particular
user's machine.  I have already added a var MACHINE_NAME to the
beginning of my rules list.  My question is the logto: function.  I
took that bit of info from the "Writing Snort Rules" page off of the
website.  Howvever, I am running Snort 1.6 on a Win32 machine.  I
call Snort from a batch file that reads:

%windir%\snort\win32-prj\release\snort.exe -l snort_log -c
rules.snort -A full -v.

Do I need to add anything else to my rule to ensure this alert gets
logged to the specific file?

Thanks!
Ed



Edwin Covert, CISSP, GCIH
Information Assurance
________________________________________
Integrated Communication Solutions/Government Services
5300 Westview Drive, Suite 401
Frederick, Maryland 21703
Phone: 301-695-8800, x256
Fax: 301-695-8877
Cell: 301-514-1334
http://www.icscorp.com

NOTE:  The information transmitted is intended only for the person or
entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of,
or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. 

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
Comment: Encryption makes the world safer

iQA/AwUBOvvt7jIjXbhrEgfyEQKryQCeOR/xlC9aMvoTIbfG/0fWzTN06mAAoOmw
WDvjLZWYlJHBq8BEOCIY/2IX
=vaRH
-----END PGP SIGNATURE-----

Attachment: PGPexch.rtf.asc
Description: