Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What is ruletype type good for?

From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 5 Jul 2002 09:59:32 -0700 (PDT)
On Fri, 5 Jul 2002 carold () gmx net wrote:


I am unable to find out what is the functional significance of "type alert"
or "type log" in "ruletype". My assumption was that it sets processing
priority for rules of this type but this is not the case. Even if I have
"ruletype myalert" of "type alert" Snort will process these rules as
alert->pass->log->myalert, which does not make sense in my mind.

Could anybody clarify?


Sure.  From:

        http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.1

[...snip...]

        1.alert - generate an alert using the selected alert method, and then
log the packet

        2.log - log the packet

[...snip...]

That's the functional difference.  One logs only (log) and one 'rings a bell'
and logs.

Now as for why the rule order is alert->pass->log->myalert...

This depends on how the rule is organized off of the tree.  It's not so much
priorty, as it is a layout.  First the alerts are applied (most important
things first), then skipping things, then saving things, then 'user defined'
since it might take longer to do them.

I've got a url I'll have to dig up for a better explanation than that...

Hope that helps some!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: