2.1.3RC1 event_queue and custom ruletypes/log rules?

[Erik Fichtner <emf () servervault com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Are custom rule types not part of the new event_queue?  
(which, by the way, I think I like.)

a totally contrived example:

output alert_syslog: log_auth log_alert
output log_tcpdump: alerts.log
ruletype traffic 
{
        type log
        output log_tcpdump: traffic.log
}

traffic ip any any -> any any
alert tcp any any -> any 23 (msg: "sample alert";)

does not produce expected behavior.. the "sample alert" packets do not
appear in traffic.log, only in alerts.log.  So, I think to myself 
'self.. perhaps it only works on "alert" types.'  so I make "traffic"
an "alert" type (with output alert_fast: /dev/null  (YUCK!))..   same
behavior.   So....  help?

Thanks...


- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFAjzbTQ7EzrewLMS0RAggzAKCIgGxk1a+Iqa6/yttTUml1ybGfawCgxKdO
VR4Hmqpt47n63Jt4werUt3A=
=zyB2
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users