Re: 2.1.3RC1 event_queue and custom ruletypes/log rules?

[Jeremy Hewlett <jh () sourcefire com>]

On Wed, Apr 28, Erik Fichtner wrote:
> Are custom rule types not part of the new event_queue?  
> (which, by the way, I think I like.)

Thanks for trying out the new event queue mechanism!

> does not produce expected behavior.. the "sample alert" packets do not
> appear in traffic.log, only in alerts.log.  So, I think to myself 
> 'self.. perhaps it only works on "alert" types.'  so I make "traffic"
> an "alert" type (with output alert_fast: /dev/null  (YUCK!))..   same
> behavior.   So....  help?

Currently how the event queue works is that depending on the order of
the alert types, we log multiple events of the highest ordered alert
type. So, for example - 

if you have pass->alert->log order, and you alert on two "pass" rules,
three "alerts," one "log" we only will log the two pass rules. This is
because if you have a "pass" rule you don't want to see alerts, so we
only log the highest ordered alert type.

So, for your example, if you ordered the "traffic" alert type first
you should see the "traffic" event but not the "alert" event.

Your example brings up a good point - do we want to allow multiple
logging of different alert types while keeping in mind there are some
alert types we don't want to log because of a lower priority ordering...

We'll look into this - feedback welcomed.

Thanks!



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users