Snort mailing list archives
Snort ruletype for 2.9.x bug or question
From: Fatih USTA via Snort-devel <snort-devel () lists snort org>
Date: Tue, 1 Feb 2022 18:51:46 +0300
Hi, I posted my problem to snort-user list. We couldn't solve the problem. https://lists.snort.org/pipermail/snort-users/2022-January/000157.html https://lists.snort.org/pipermail/snort-users/2022-February/000168.html --- I'm trying to use "ruletype" to multiple logging output for specific rules. I defined a "ruletype" and I used in the rule.Normally signature matches traffic and I saw at the log, so there is no problem here.
Snort doesn't log for the traffic when I want to use different rule action for multiple logging output.
I think, there is a bug here or what am I missing for correct configuration? I'm fallowing this documentation. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html#SECTION00421000000000000000 Are there any idea? output unified2: filename snort_unified.log, limit 128 ruletype my_alert { type alert output unified2: filename snort_unified.log, limit 128 output alert_syslog: log_auth log_alert }my_alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS User Agent (SQLi Injection / Scanning)"; flow:established,to_server; content:"User-Agent|3a 20|testitest"; http_header; fast_pattern; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web- application-attack; sid:2023351; rev:1; metadata:attack_target SQL_Server, created_at 2016_10_19, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_31;)
I tested on snort 2.9.9.0 and 2.9.19. ---- Thanks. Regards. -- Fatih USTA _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort ruletype for 2.9.x bug or question Fatih USTA via Snort-devel (Feb 02)