Snort mailing list archives

Previous By Date Next
Previous By Thread Next

conflict with alert types

From: Jordi Vidal <jordivi () wtransnet net>
Date: Tue, 2 Dec 2003 17:00:07 +0100 (CET)
Hi


        I've just installed snort and playing with config files. I have a 
question I hope someone can tell me what I'm doing wrong.

        I set up a rule to alert via SMB but it conflicts with standard 
alert file.

        In my local.rules file I wrote:

---
ruletype smbalert 
{
        type alert
        output alert_smb: /etc/snort/smbalerthosts
}  
smbalert tcp $HOME_NET any <> any any 
(msg:"TESTING";flow:to_server,established;flags: PA;content:"thisisatest";nocase;) 
---

Then, if I start snort, this rule works fine but no other alerts are 
dumped to /var/log/snort/alert, even the file are not created at startup.

If I launch snort with "-A full" the alert file works fine but the rule 
for SMB alerts dont.

I start snort like this:
/usr/local/snort/bin/snort -c /etc/snort/snort.conf -b -l /var/log/snort -D

snort is version 2.0.5 and the last rulesets,




Kind Regards

Jordi
--
http://www.wtransnet.com
Dpto. Técnico





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: