Declared Rule Types
A declared rule type is used to declare a new keyword for one of the five
built-in ruletypes. Additionally, this new keyword can be associated with
a set of output plugins that is distinct from the globally defined set. This
feature provides a mechanism to implement both multiple alert levels and more
complex detection schemes. How it is used to implement these will be discussed
shortly, but first, we will discuss the syntax of a rule type declaration.
Here is a sample ruletype declaration:
ruletype info {
type alert
output alert_fast: snort.info
}
As seen in the above example, there are three major components to a ruletype
declaration. These are the ruletype tag, the type statement,
and output plugin declarations. The ruletype tag specifies
the keyword that will be used for rules of this type. In the example this
keyword is info. The type statement specifies the built-in rule
that this new rule will be modeled after. In this case, we a modeling it after
the alert rule. The output plugin declarations are identical to
thos used globally. In a ruletype declaration, they refer to the output
plugins that will be used for this ruletype. The example contains an output
plugin declaration for the alert_fast plugin. All of the alert messages from
these rules will use that method. However, there is no output plugin defined
for log messages, these will use the globally defined mechanisms.
It is legal to have no output plugin declarations at all in a ruletype
declaration. If an output plugin declaration is missing for one of the two
reporting mechanisms (alert and log), then the globally defined mechanism will
be used.
Copyright 2000 Andrew R. Baker