Re: Nimda specific logging

["Andrew R. Baker" <andrewb0x29a () yahoo com>]

By default, your nimba ruletype will be evaluated after all other
ruletypes unless you change the rule evaluation order by adding an "order"
directive in the configuration file.  something like:

order: nimda activation dynamic alert log pass

would have your nimda rule evaluated first.

-A

--- Subba Rao <subba9 () home com> wrote:
> Hi,
>
> I am trying to log Nimda specific traffic to a file "nimda.log".
> In snort.conf, I have defined a new ruletype, which is as follows:
>
> ruletype nimda
> {
>  type alert
>  output alert_fast: nimda.log
> }
>
> In my "nimda.rules" file, the rule syntax is as follows:
>
> nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (.......)
>
> With this new ruletype, I do not see any nimda specific logging going
> into the "nimda.log". When I run SnortSnarf on the existing "alert"
> file,
> their is mention of the "nimda.rules file" to some alerts.
>
> Could someone point out what I am missing for this new ruletype?
>
> Thank you in advance.
> -- 
>
> Subba Rao
> subba9 () home com                     http://members.home.net/subba9/
> OpenPGP/GPG public key ID CCB7344E
>
>  => Time is relative. Here is a new way to look at time. <=
> http://www.smcinnovations.com
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users