Snort mailing list archives
ruletype question
From: Brett.Gillett () tsx ca
Date: Wed, 21 Aug 2002 13:05:29 -0400
Hey everyone, I have a question about creating custom ruletypes... I have created a custom ruletype called 'tbt' -- here it is... ruletype tbt { type alert output log_tcpdump: tbt.log output alert_full: tbt_full output alert_fast: tbt_fast } My regular snort configuration looks like this... <snip> output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: snort.log output database: log, mysql, user=XXXXXX password=XXXXXXX dbname=snort host=localhost # output database: log, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output xml: log, file=/var/log/snortxml output alert_full: /var/log/snort/snort_full output alert_fast: /var/log/snort/snort_fast output alert_full: snort_full output alert_fast: snort_fast </snip> Here's my rule tbt ip a.b.c.0/24 any -> $INTERNAL any (msg: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx";) Here's the question... When I start up snort, it does create the tbt_full and tbt_fast files, but it doesn't create the tbt-XXX.log binary file. The idea is to have a regular snort binary file will all the information and the tbt binary file will have only specific information... I would assume that this is possible it's just the way I have it configured... Any suggestions would be appreciated. TIA, Brett ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ruletype question Brett . Gillett (Aug 21)