Hosting Provided By

Re: [Snort-users] Alerts, Logged and Passed

From: Clayton Mascarenhas <masclaythesnort(at)yahoo.com>
Date: Fri Feb 28 2003 - 16:01:27 EST

Hi,
Thankyou so much Erek for your help and more importantly your valuable time. So just to double check....from what I understand ...... when I get Alerts = 6 , Logged = 6... that means the rule(s) that got triggered started with the "alert" option. And when I got Alerts = 0, Logged = 6, that means the rule(s) that got triggered started with the "Log" option. However when I get Alerts = 6, Logged = 0 that means the preprocessor got triggered which only sends alerts and does not log. Correct?? Thankyou so much again Erek for your guidance. Clayton Mascarenhas
Erek Adams <erek@snort.org> wrote:On Fri, 28 Feb 2003, Clayton Mascasrenhas wrote:

> After I run snort... a summary shows up saying Alerts = 6 , Logged = 6,

Quite simply, the two are tottaly different, and what you are seeing is expected depending on your rules.

[Note: In the following 'file' means "any way that Snort is configured to log" with that would be a DB, flat file, pcap, or whatever.]

If the rule starts with 'alert' then it will alert to a file and log to a file the packet--But that's in no way the same as the 'log' keyword.

If the rule starts with 'log' then it will log to a file and _not_ alert.

Basically, there are two "buckets"--Alert and Log. When a packet is flagged as an alert, it goes into the Alert bucket. When the alert is done, then that same packet goes into the Log bucket so that the packet is not only alerted on, but logged to as well. If the packet is thrown into the Log bucket, then it is simply written to without an alert firing.

Do you need help?

Does that make more sense?

Cheers!

Erek Adams

"When things get weird, the weird turn pro." H.S. Thompson

Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, and more

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Fri Feb 28 16:05:06 2003

This message: [ Message body ]
Next message: Matt Kettler: "Re: [Snort-users] Snort signautures (understanding snort output)"
Previous message: Sadanapalli, Pradeep Kumar (MED, TCS): "RE: [Snort-users] Unable to receive alerts"
In reply to Erek Adams: "Re: [Snort-users] Alerts, Logged and Passed"
Next in thread: Erek Adams: "Re: [Snort-users] Alerts, Logged and Passed"
Reply: Erek Adams: "Re: [Snort-users] Alerts, Logged and Passed"
Reply: Erek Adams: "Re: [Snort-users] Alerts, Logged and Passed"
Reply: Clayton Mascarenhas: "Re: [Snort-users] Alerts, Logged and Passed"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:11:46 EDT