Rule Headers

83

  Sending SNMP traps. SNMP traps are sent to a network management system

like HP OpenView or Open NMS at http://www.opennms.org.

  Taking multiple actions on a packet. As you have seen earlier in the structure of

Snort rules, a rule only takes one action. User defined rules can be used to take

multiple actions. For example, a user defined rule can be used to send an SNMP

trap as well as to log the alert data to the syslog daemon. 

  Logging data to XML files.

Logging messages into a database. Snort is able to log messages to MySQL, Post 

gress SQL, Oracle and Microsoft SQL server.

These new action types are defined in the configuration file snort.conf.  A

new action is defined in the following general structure:

ruletype action_name

{

     action definition

}

The ruletype keyword is followed by the action name. Two braces enclose the

actual definition of the action, just like a function in C programming. For example, an

action named smb_db_alert that is used to send SMB pop up window alert mes 

sages to hosts listed in workstation.list file and to MySQL database named

 snort  is defined below:

ruletype smb_db_alert

{

   type alert

   output alert_smb: workstation.list

   output database: log, mysql, user=rr password=rr \

     dbname=snort host=localhost

}

Theses types of rules will be discussed in the next chapter in detail. Usually they

are related to configuration of output plug ins.

3.5.2

Protocols

Protocol is the second part of a Snort rule. The protocol part of a Snort rule shows

on which type of packet the rule will be applied. Currently Snort understands the fol 

lowing protocols:

  IP

  ICMP