Hosting Provided By

Re: [Snort-users] Alerts, Logged and Passed

From: Clayton Mascarenhas <masclaythesnort(at)yahoo.com>
Date: Fri Feb 28 2003 - 18:08:45 EST

Erek... one last doubt.. I am sorry for bugging you like this and being so slow to understand..... but just this one last doubt...the final doubt... .. You said... You: If you have 3003 items that got to the 'Alert' facility, you will have 3003 alerts. If you have 494 items that go to the 'Log' facility, you will have 494 log entries.

My doubt..... that means the 3003 alerts will be in the alert file..... but where are the 494 log entries?? in which file??

You: If you have _both_ you will have 3003 alerts, 494 logged, and the output will contain 3497 bits of packet info.

My doubt..... does this mean the alert file will have 3497 entries??

You: Examine your rules file(s). Look for "log" and "alert" grep 'log' *.rules (This should generate 0 unless you have customized rules.) grep 'alert' *.rules (This will generate a lot of them.)

My doubt ... yes you are absolutely correct.But since I got 0 when I grep 'log' *.rules ... how come in some situations I get alert = 0 and log = 6 ...because there are no rules that start with Log.

Clayton Mascarenhas

Do you need help?

Erek Adams <erek@snort.org> wrote:On Fri, 28 Feb 2003, Clayton Mascarenhas wrote:

> Thankyou so much Erek for your help and more importantly your valuable

Examine your rules file(s). Look for "log" and "alert"

grep 'log' *.rules (This should generate 0 unless you have customized rules.)
grep 'alert' *.rules (This will generate a lot of them.)

If the packets were alerted on or logged, have a look at them and see what rule they match. 'snort -vdr '

If a packet is alerted on, it _will_ be logged.

The one thing you need to understand is that the number of 'alert' vs. 'log' entries into the stat output only refers to the facility by which it was invoked. If you have 3003 items that got to the 'Alert' facility, you will have 3003 alerts. If you have 494 items that go to the 'Log' facility, you will have 494 log entries. If you have _both_ you will have 3003 alerts, 494 logged, and the output will contain 3497 bits of packet info.

> Thankyou so much again Erek for your guidance.

Do you need more help?

*pfffttt* I just do what I can. :)

Erek Adams

"When things get weird, the weird turn pro." H.S. Thompson

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, and more

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

This message: [ Message body ]
Next message: Erek Adams: "Re: [Snort-users] Alerts, Logged and Passed"
Previous message: Erek Adams: "Re: [Snort-users] Running snort in daemon mode disables network connection"
In reply to: Erek Adams: "Re: [Snort-users] Alerts, Logged and Passed"
In reply to Clayton Mascarenhas: "Re: [Snort-users] Alerts, Logged and Passed"
Next in thread: Erek Adams: "Re: [Snort-users] Alerts, Logged and Passed"
Reply: Erek Adams: "Re: [Snort-users] Alerts, Logged and Passed"
Reply: Erek Adams: "Re: [Snort-users] Alerts, Logged and Passed"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:11:46 EDT