Snort mailing list archives
Re: What is ruletype type good for?
From: carold () gmx net
Date: Fri, 5 Jul 2002 19:19:02 +0200 (MEST)
On Fri, 5 Jul 2002 carold () gmx net wrote:I am unable to find out what is the functional significance of "typealert"or "type log" in "ruletype". My assumption was that it sets processing priority for rules of this type but this is not the case. Even if I have "ruletype myalert" of "type alert" Snort will process these rules as alert->pass->log->myalert, which does not make sense in my mind. Could anybody clarify?Sure. From: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.1 [...snip...] 1.alert - generate an alert using the selected alert method, and then log the packet 2.log - log the packet [...snip...] That's the functional difference. One logs only (log) and one 'rings a bell' and logs.
Assuming I got this right, the sole meaning is that "type alert" in "ruletype" _enables_ (or _allows for_) output alert_<whatever> options? Namely, the meaning is _not_: "this is an alert rule".
Now as for why the rule order is alert->pass->log->myalert... This depends on how the rule is organized off of the tree. It's not so much priorty, as it is a layout. First the alerts are applied (most important things first), then skipping things, then saving things, then 'user defined' since it might take longer to do them. I've got a url I'll have to dig up for a better explanation than that... Hope that helps some! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
Thank you for your reply! -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Bringing you mounds of caffeinated joy. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What is ruletype type good for? carold (Jul 05)
- Re: What is ruletype type good for? Erek Adams (Jul 05)
- Re: What is ruletype type good for? carold (Jul 05)
- Re: What is ruletype type good for? Erek Adams (Jul 06)
- Re: What is ruletype type good for? carold (Jul 07)
- Re: What is ruletype type good for? Andrew R. Baker (Jul 07)
- Re: What is ruletype type good for? carold (Jul 05)
- Re: Alert vs. Log (Was: What is ruletype type good for?) Erek Adams (Jul 06)
- Re: What is ruletype type good for? Erek Adams (Jul 05)