Snort mailing list archives

Re: What is ruletype type good for?

From: carold () gmx net
Date: Sun, 7 Jul 2002 18:39:55 +0200 (MEST)

On Fri, 5 Jul 2002 carold () gmx net wrote:

Assuming I got this right, the sole meaning is that "type alert" in
"ruletype" _enables_ (or _allows for_) output alert_<whatever> options?
Namely, the meaning is _not_: "this is an alert rule".


The way I see it--And as usual, someone please step in if I'm off base:

      Alerts--When you define something as an alert, two things happen.
Snort knows which 'tree' to place it in, and snort sends the packet thru
the
'Alert' channels.  Now, as a feature of coding, the 'Alert' channels also
make
calls out to the 'Logs' channel.  So when something is 'Alerted on' it's
also
logged.

      Logs--Works the same as an Alert, except that the packet never goes
thru the 'Alert' channel.  It just gets logged.

Am I answering your questions?  I sure hope so, since I've got a feeling
I'm
"just not getting" what you're asking.  :-(


Maybe this will explain it: I completely agree with your statements above.
Where we differ and what puzzles me is if I define custom rule class (using
"ruletype" definition) and explicitly declare it as "type alert" then I would
expect rules of this class to be treated just like a any other alert (with the
exception of customized alert and log outputs). Namely, I would expect these
rules to be of the same processing priority as other alerts.

Since this is not the case and these rules are in fact processed last then
the _only_ differentiator between declaring this class as "type alert" or
"type log" is the availability of the alert output. Going back to my original
wording: "type alert" in "ruletype" will NOT give me true alert rule (with
customized output) but merely a "last-in-the-food-line" rule with access to alert
output plugins.

I see a lot of value for true alert rules with customized output but not
much value for the current functionality. Why would I need alert output plugins
for rules that are processed last?

Perhaps the best long-term approach would be to let each user define both
output plugins and processing priority for each rule class, as opposed to the
current limited "-o" functionality.   :-O

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
We have stuff for geeks like you.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

What is ruletype type good for? carold (Jul 05)
- Re: What is ruletype type good for? Erek Adams (Jul 05)
  - Re: What is ruletype type good for? carold (Jul 05)
    - Re: What is ruletype type good for? Erek Adams (Jul 06)
    - Re: What is ruletype type good for? carold (Jul 07)
    - Re: What is ruletype type good for? Andrew R. Baker (Jul 07)
    - Re: Alert vs. Log (Was: What is ruletype type good for?) Erek Adams (Jul 06)