Re: Barnyard woes

[Paul Schmehl <pauls () utdallas edu>]

Has any consideration been given to adding more action options to the
rules?  Here's why I ask.  I've created a custom rule that allows me
(using flexresp) to reset both ends of the conversation.  The rule is
activated by any host that is included in a var - BLOCKED_HOSTS.  If I
set the database to log so I can see the payload, then I get tons of
alerts from this rule.  If I set the database to alert, then I don't see
the alerts from this rule, but I lose the payload information.

I'd like to see an action that would allow me to - not alert, but log
*locally only*, regardless of the setting of the database.  (Does this
make sense?)  Maybe you could call this action "activate", and the
action would be, the rule works, but the data doesn't get logged to the
database, only to the local logs (by IP address.)

Is this a problem with the database plugin?

Am I the only one who would like to see something like this?

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users