Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: conflict with alert types

From: Martin Olsson <elof () sentor se>
Date: Tue, 2 Dec 2003 18:11:52 +0100 (CET)

On Tue, 2 Dec 2003, Jordi Vidal wrote:

      I set up a rule to alert via SMB but it conflicts with standard
alert file.
      In my local.rules file I wrote:
---
ruletype smbalert
{
        type alert
        output alert_smb: /etc/snort/smbalerthosts
}
smbalert tcp $HOME_NET any <> any any
(msg:"TESTING";flow:to_server,established;flags: PA;content:"thisisatest";nocase;)
---
Then, if I start snort, this rule works fine but no other alerts are
dumped to /var/log/snort/alert, even the file are not created at startup.


First, I would put all my ruletype declarations directly in snort.conf,
not in the *.rules files.

Secondly, in snort.conf, have you specified any "default" output system?
Like this:

snort.conf:
...
...
output alert_fast: snort.alert
...
...
ruletype smbalert
{
        type alert
        output alert_smb: /etc/snort/smbalerthosts
}
...
...

/Martin



-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: