82


Chapter 3     Working with Snort Rules


3.5.1.1


Pass


This action tells Snort to ignore the packet. This action plays an important role in


speeding up Snort operation in cases where you don't want to apply checks on certain


packets. For example, if you have a vulnerability assessment host on your own network


that you use to find possible security holes in your network, you may want Snort to


ignore any attacks from that host. The pass rule plays an important part in such a case.


3.5.1.2


Log


The log action is used to log a packet. Packets can be logged in different ways, as


discussed later in this book. For example, a message can be logged to log files or in a


database. Packets can be logged with different levels of detail depending on the com 


mand line arguments and configuration file. To find available command line arguments


with your version of Snort, use  snort  ?  command.


3.5.1.3


Alert


The alert action is used to send an alert message when rule conditions are true for


a particular packet. An alert can be sent in multiple ways. For example, you can send an


alert to a file or to a console. The functional difference between Log and Alert actions is


that Alert actions send an alert message and then log the packet. The Log action only


logs the packet.


3.5.1.4


Activate


The activate action is used to create an alert and then to activate another rule for


checking more conditions. Dynamic rules, as explained next, are used for this purpose.


The activate action is used when you need further testing of a captured packet.


3.5.1.5


Dynamic


Dynamic action rules are invoked by other rules using the  activate  action. In


normal circumstances, they are not applied on a packet. A dynamic rule can be acti 


vated only by an  activate  action defined in another role.


3.5.1.6


User Defined Actions


In addition to these actions, you can define your own actions. These rule actions


can be used for different purposes, such as:


  Sending messages to syslog. Syslog is system logger daemon and creates log file


in /var/log directory. Location of these files can be changed using /etc/


syslog.conf file. For more information, use  man syslog  and  man


syslog.conf  commands on a UNIX system. Syslog may be compared to


the event logger on Microsoft Windows systems. 








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved