Snort ruletype for 2.9.x bug or question

[Fatih USTA via Snort-devel <snort-devel () lists snort org>]

Hi,

I posted my problem to snort-user list. We couldn't solve the problem.

https://lists.snort.org/pipermail/snort-users/2022-January/000157.html

https://lists.snort.org/pipermail/snort-users/2022-February/000168.html


---


I'm trying to use "ruletype" to multiple logging output for specific rules.
I defined a "ruletype" and I used in the rule.

Normally signature matches traffic and I saw at the log, so there is no 
problem here.

Snort doesn't log for the traffic when I want to use different rule 
action for multiple logging output.
I think, there is a bug here or what am I missing for correct configuration?

I'm fallowing this documentation.
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html#SECTION00421000000000000000


Are there any idea?

output unified2: filename snort_unified.log, limit 128

ruletype my_alert {
     type alert
     output unified2: filename snort_unified.log, limit 128
     output alert_syslog: log_auth log_alert
}

my_alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET  
WEB_SPECIFIC_APPS User Agent (SQLi Injection / Scanning)";
flow:established,to_server; content:"User-Agent|3a 20|testitest"; 
http_header; fast_pattern; 
reference:url,en.wikipedia.org/wiki/SQL_injection;  classtype:web- 
application-attack; sid:2023351; rev:1;  metadata:attack_target 
SQL_Server, created_at 2016_10_19, deployment Datacenter, 
performance_impact Low, signature_severity Major, updated_at 2020_07_31;)


I tested on snort 2.9.9.0 and 2.9.19.

----



Thanks.

Regards.

--
Fatih USTA

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!