urgent problem with snort and guardian

[Björn Brombach <b.brombach () drachenfels de>]

Hi all,
installed is snort, mysql, guardian.
I start guardian in debug mode so to see if alarms are properly notified.
Guardian should call a user-defined script upon every alert.
The problem is that only some alerts make guardian call the script and some
dont.

What i am trying to do is use the rules for the Cisco IPv4 Bug and upon
detection they should trigger the guardian to execute the script.
These are the rules:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS Cisco SWIPE
Protocol "; classtype:attempted-dos; ip_proto:53;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS Cisco IP
Mobility Protocol "; classtype:attempted-dos; ip_proto:55;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS Cisco Sun
ND Protocol "; classtype:attempted-dos; ip_proto:77;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS Cisco PIM
Protocol "; classtype:attempted-dos; ip_proto:103;)

Snort detects the alerts and guardian shows them on screen in the debugging
mode but doesnt execute the script.
I even tried adding priority:1 to the rules but doesnt make any difference.

Doing an nmap scan or attacks with snot trigger the script execution always.
So any idea what to change that my rules trigger as well?

I tried to figure that out for two weeks now and need it to be solved
urgently.
Thanks for any help
-bb



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users