ruletype question

[Brett.Gillett () tsx ca]

Hey everyone,

I have a question about creating custom ruletypes... I have created a
custom ruletype called 'tbt' -- here it is...

ruletype tbt {
        type alert
        output log_tcpdump: tbt.log
        output alert_full: tbt_full
        output alert_fast: tbt_fast
}

My regular snort configuration looks like this...

<snip>
output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: snort.log
output database: log, mysql, user=XXXXXX password=XXXXXXX dbname=snort
host=localhost
# output database: log, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output xml: log, file=/var/log/snortxml
output alert_full: /var/log/snort/snort_full
output alert_fast: /var/log/snort/snort_fast
output alert_full: snort_full
output alert_fast: snort_fast
</snip>

Here's my rule

tbt ip a.b.c.0/24 any -> $INTERNAL any (msg:
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx";)

Here's the question... When I start up snort, it does create the tbt_full
and tbt_fast files, but it doesn't create the tbt-XXX.log binary file.  The
idea is to have a regular snort binary file will all the information and
the tbt binary file will have only specific information...

I would assume that this is possible it's just the way I have it
configured...

Any suggestions would be appreciated.


TIA,

Brett



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users