custom output for ruletype{ type alert}

[Yaocl <chunlinyao () gmail com>]

Hi everybody

I am try to create a custom action,so I can output some alert to a
different file.But It still output to the default file.

somthing in my snort.conf

output alert_full: alert
output alert_pf: /usr/local/etc/snort/whitelist,snort2c
output unified2: filename snort, limit 128

ruletype audit
{
   type alert
   output alert_fast: alert.fast
   output unified2: filename audit, limit 128
}

the audit rule still going to alert file not the aler.fast file,and
audit log is empty.
If I change type to log.
ruletype audit
{
   type log
   output unified2: filename audit, limit 128
}
It will output packet to audit.log.
Somebody known what's wrong.

This is my snort version.

# snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6 (Build 38)  FreeBSD
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 8.02 2010-03-19

     ___   Built Date for Snort on Pfsense 1.2.3 is May 25 2010.
 ___/ f \  Orion IPS Output Code Copyright (C) 2009-2010 Robert Zelaya.
/ p \___/Sense
\___/   \
    \___/  Using Snort.org dynamic plugins and Orion IPS source.


Regards,
Yao

------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users