Snort mailing list archives

Re: rule type declarations type "drop"

From: Todd Wease <twease () sourcefire com>
Date: Tue, 24 Nov 2009 05:23:36 -0500

On 11/24/2009 04:20 AM, justin joseph wrote:

On Tue, Nov 24, 2009 at 2:16 PM, justin joseph
<justinjoseph007 () gmail com>  wrote:

Hi

I wanted to have a separate log file for action "drop" (inline-mode)
and as mentioned in the snort manual
tested ruletype declarations.  I changed "drop" to "mydrop" in the
rules file and in the snort.conf file gave
the below mydrop ruletype declaration:

ruletype mydrop
{
  type drop
  output alert_full: /var/log/snort/mydrop.full
}

This does not work with the below error:

ERROR: /etc/snort/snort-ips.conf(702): Invalid type for rule type
declaration: drop
Fatal Error, Quitting..


I were running snort-2.8.4.  looking at the sources of the latest
stable release snort-2.8.5.1, figured
out that type "drop" is now supported.  But while attempting to
compile and then run 2.8.5.1 'am getting
the below error:

ERROR: plugbase.c(911) Snort config for parsing is NULL.
Fatal Error, Quitting..

I have not changed anything other than the snort version from 2.8.4 to
2.8.5.1, /etc/snort files
including the snort.conf is unchanged from 2.8.4.


This works fine for me.  However, I get the same error if I use a 
2.8.5.1 snort binary with 2.8.4.1 dynamic libraries.  Make sure your 
snort.conf is now pointing to the 2.8.5.1 dynamic libraries you installed.


However, this works if the type is "alert", why does the ruletype not
support type "drop"?

Is there any other mechanism to distinguish between logs for drops and
alert rules?  Some of my rules are drop
and others alert while running in in-line mode.

Thank you
Justin



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

rule type declarations type "drop" justin joseph (Nov 24)
- Re: rule type declarations type "drop" justin joseph (Nov 24)
  - Re: rule type declarations type "drop" Todd Wease (Nov 24)
  - Re: rule type declarations type "drop" justin joseph (Nov 28)