[Snort-users] Snort 2.2.0 ruletype not working
This is a discussion on [Snort-users] Snort 2.2.0 ruletype not working within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C51932.2A0A0408 Content-Type: text/plain; charset="us-ascii&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-25-2005
|
|||
|
|||
[Snort-users] Snort 2.2.0 ruletype not working
This is a multi-part message in MIME format.
------_=_NextPart_001_01C51932.2A0A0408 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, I am unsuccessfully trying to get the ruletype method to work as follows: ruletype auditlog { type alert output alert_syslog: LOG_AUTH LOG_INFO output log_null } auditlog icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32;) I have disabled the corresponding alert rule in the icmp-info.rules file. If I reenable the rule in the icmp-info.rules file it is picked up as an alert (as expected). If I disable in icmp-info.rules and enable in local.rules no log is generated. Is this a bug, as I cannot make any of the output plugins work within ruletype. Regards, Don ------_=_NextPart_001_01C51932.2A0A0408 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.5.7226.0"> <TITLE>Snort 2.2.0 ruletype not working</TITLE> </HEAD> <BODY> <!-- Converted from text/rtf format --> <P><FONT SIZE=3D2 FACE=3D"Arial">Hi,</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">I am unsuccessfully trying to get the = ruletype method to work as follows:</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">ruletype auditlog</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">{</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> type alert</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> output alert_syslog: = LOG_AUTH LOG_INFO</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> output log_null</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">}</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">auditlog icmp $EXTERNAL_NET any -> = $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; = content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; = depth:32;)</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">I have disabled the corresponding alert = rule in the icmp-info.rules file. If I reenable the rule in the = icmp-info.rules file it is picked up as an alert (as expected). If = I disable in icmp-info.rules and enable in local.rules no log is = generated.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">Is this a bug, as I cannot make any of = the output plugins work within ruletype.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Regards,</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Don</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C51932.2A0A0408-- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
