Snort mailing list archives
Re: What is ruletype type good for?
From: "Andrew R. Baker" <andrewb () snort org>
Date: Sun, 07 Jul 2002 17:36:40 -0400
carold () gmx net wrote:
Maybe this will explain it: I completely agree with your statements above. Where we differ and what puzzles me is if I define custom rule class (using "ruletype" definition) and explicitly declare it as "type alert" then I would expect rules of this class to be treated just like a any other alert (with the exception of customized alert and log outputs). Namely, I would expect these rules to be of the same processing priority as other alerts. Since this is not the case and these rules are in fact processed last then the _only_ differentiator between declaring this class as "type alert" or "type log" is the availability of the alert output. Going back to my original wording: "type alert" in "ruletype" will NOT give me true alert rule (with customized output) but merely a "last-in-the-food-line" rule with access to alert output plugins. I see a lot of value for true alert rules with customized output but not much value for the current functionality. Why would I need alert output plugins for rules that are processed last? Perhaps the best long-term approach would be to let each user define both output plugins and processing priority for each rule class, as opposed to the current limited "-o" functionality. :-O
I think you have missed one very important config file option that should be used with custom rule types. Add
config order: ruletype1, ruletype2, ruletype3, ...after you have declared all the rule types in the config file and they will get processed in that order. Be sure to include the standard ruletypes also. By default, new rule types are processed after the standard rule types. There were two goals behind the custom ruletype code:
1) Allow customized output plugin binding for different alert/log
rules.
2) Allow for more control over the order that rules are evaluated.
I wrote the code because I needed to be able to interleave some pass
rules between two sets of alert rules.
Is there something else you want to be able to do with the custom rule types?
-A ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek We have stuff for geeks like you. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What is ruletype type good for? carold (Jul 05)
- Re: What is ruletype type good for? Erek Adams (Jul 05)
- Re: What is ruletype type good for? carold (Jul 05)
- Re: What is ruletype type good for? Erek Adams (Jul 06)
- Re: What is ruletype type good for? carold (Jul 07)
- Re: What is ruletype type good for? Andrew R. Baker (Jul 07)
- Re: What is ruletype type good for? carold (Jul 05)
- Re: Alert vs. Log (Was: What is ruletype type good for?) Erek Adams (Jul 06)
- Re: What is ruletype type good for? Erek Adams (Jul 05)