Snort mailing list archives
Re: conflict with alert types
From: Jordi Vidal <jordivi () wtransnet net>
Date: Tue, 2 Dec 2003 19:25:05 +0100 (CET)
It worked! I didnt had a default alert definition. Thank you! -- Jordi http://www.wtransnet.com Dpto. Técnico On Tue, 2 Dec 2003, Martin Olsson wrote:
On Tue, 2 Dec 2003, Jordi Vidal wrote:I set up a rule to alert via SMB but it conflicts with standard alert file. In my local.rules file I wrote: --- ruletype smbalert { type alert output alert_smb: /etc/snort/smbalerthosts } smbalert tcp $HOME_NET any <> any any (msg:"TESTING";flow:to_server,established;flags: PA;content:"thisisatest";nocase;) --- Then, if I start snort, this rule works fine but no other alerts are dumped to /var/log/snort/alert, even the file are not created at startup.First, I would put all my ruletype declarations directly in snort.conf, not in the *.rules files. Secondly, in snort.conf, have you specified any "default" output system? Like this: snort.conf: ... ... output alert_fast: snort.alert ... ... ruletype smbalert { type alert output alert_smb: /etc/snort/smbalerthosts } ... ... /Martin ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- conflict with alert types Jordi Vidal (Dec 02)
- Re: conflict with alert types Martin Olsson (Dec 02)
- Re: conflict with alert types Jordi Vidal (Dec 02)
- Re: conflict with alert types Martin Olsson (Dec 02)