Snort mailing list archives
Snort 2.2.0 ruletype not working
From: "Sudom, Don" <dsudom1 () wcb bc ca>
Date: Tue, 22 Feb 2005 14:59:28 -0800
Hi, I am unsuccessfully trying to get the ruletype method to work as follows: ruletype auditlog { type alert output alert_syslog: LOG_AUTH LOG_INFO output log_null } auditlog icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32;) I have disabled the corresponding alert rule in the icmp-info.rules file. If I reenable the rule in the icmp-info.rules file it is picked up as an alert (as expected). If I disable in icmp-info.rules and enable in local.rules no log is generated. Is this a bug, as I cannot make any of the output plugins work within ruletype. Regards, Don
Current thread:
- Snort 2.2.0 ruletype not working Sudom, Don (Feb 25)