Snort mailing list archives
Re: ruletype doesn't work at all ?!
From: "chlang" <chlang () kimo com>
Date: Wed, 23 May 2001 11:10:05 +0800
thanks for the response, I check it today. my command line is: /usr/local/bin/snort -D -c /usr/local/share/snort/snort.conf no any -A or -s inside. but after another try, something strange happened, I tried this configuration using newer version of snort (/* $Id: snort.c,v 1.90 2001/05/12 20:25:10 roesch Exp $ */) , it still not work correctly, but after I switch back to older version. (Official 1.7) It works pretty well. I wonder is there any OS related configuration is needed... (BSD 4.2) ,or just me need some reconfiguration. ^_^ I will try to revert back to "old" fail state, and find out what is wrong with it. ----- Original Message ----- From: "Joe McAlerney" <joey () SiliconDefense com> To: "chlang" <chlang () mail techman com tw> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, May 23, 2001 2:25 AM Subject: Re: [Snort-users] ruletype doesn't work at all ?! What are your command line options? Are any of them overriding the output facilities defined in your rule type? -A and -s will do this. -Joe M. -- | Joe McAlerney joey () silicondefense com | | Silicon Defense - Technical Support for Snort | | http://www.silicondefense.com/ | +-- --+ chlang wrote:
I tried to do the ruletype inside the snort.conf hoping to get more
actions
in response. "icmp destination not reachable" is not what I will react when it occurs, just a log/alert is needed, so is "Login Incorrect" but a backdoor attack must raise a redalert, that send a mail or a
winpopup
to me....
but enabling ruletype doesn't work for me, here is what I do:
inside snort.conf
ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snort dbname=snort host=localhost
output alert_smb: winhost.lst
}
and have a test rule inside local-lib:
redalert tcp any any -> any any (msg:"red-alert, test1";
content:"redtest1")
get nothing to my syslog, database, or any popup. but it is working if I don't use any ruletype at all. Did I forget something ? compile option ? Thanks in advanced. chlang () kimo com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ruletype doesn't work at all ?! chlang (May 18)
- Re: ruletype doesn't work at all ?! Joe McAlerney (May 22)
- Re: ruletype doesn't work at all ?! chlang (May 22)
- Re: ruletype doesn't work at all ?! Joe McAlerney (May 22)