Re: Spade ---What gives

[<bthaler () webstream net>]

Geez! Now I'm really confused!

Read this statement by Marty:
"What this means in practical terms is that if the db plugin
is in alert mode, it will only receive output from alert rules, whereas
if it's in "log" mode it will receive output from both log and alert
rules."

This means that the database output plugin, configured to run in "log" mode will write both "alert" and "log" output to 
the
database, right?

So if this is true, then why does the output plugin need to be set to "alert" to capture spp_portscan and evidently 
spp_anomsensor?

I may be missing something obvious here, but this doesn't make sense to me.  If "log" logs both "alert" and "log" (does 
that make
sense?), then we should see spp_portscan (and with it spp_anomsensor)
with the output plugin set to "log" but we don't, so this must not be completely true.

Please forgive my ignorance...

On another note, I noticed that many of the fancier features of snort are dependant on the "alert" facility, which 
writes those
pesky "alert" files to my HD, as well as those IP Address directories.

I was under the impression that maximum performance/attack information would be achieved by having Snort output to a 
database on a
remote host, as opposed to a local database or local logfiles.  When I use the "alert" facility combined with the 
database output
plugin, I still get the "alert", etc. files written locally.  I understand that this is not a "bug" per se, but is just 
the way
Snort works, but it seems counter-intuitive to me.  I mean I'm going through all the trouble of maintaining a separate 
machine just
to run MySQL and maximize performance, and Snort insists on writing files locally.  This not only hinders performance, 
buy could be
used as a way to DOS snort with "noise" filling my sensor's HD.

I need to run IDS on a 45Mb connection, so I need all the performance I can get.  At the same time, I need as much 
information about
incoming attacks as possible.  I realize that this is a compromise, but it seems that Snort is "wasting" performance by 
writing
these files, at least in my situation, since all of that info is already in the database.

Anyway, this is just my perspective...Let me know if I'm missing something here.







Sincerely,

Brad T.




----- Original Message -----
From: "Erek Adams" <erek () theadamsfamily net>
To: <bthaler () webstream net>
Cc: <snort-users () lists sourceforge net>
Sent: Wednesday, March 13, 2002 1:25 PM
Subject: Re: [Snort-users] Spade ---What gives


> On Wed, 13 Mar 2002 bthaler () webstream net wrote:
>
> > Just to confirm, because neither FAQ is clear on this:
> > I can have both:
> > output database: alert, mysql, user=snort, dbname=snort_log host=localhost
> > password=foo
> > output database: log, mysql, user=snort, dbname=snort_log host=localhost
> > password=foo
> > at the same time, right?
>
> Right.  What does make it a bit clearer is the Snort Users Manual (in both
> HTML and PDF on snort.org).
>
> > I changed my "log" to "alert" and the number of alerts dropped from about
> > 1000 per hour to about 200... So I'm assuming that "alert" doesn't include
> > "log".
>
> Well....  There is a difference.  This should explain it:
>
> http://www.theadamsfamily.net/~erek/snort/logging_methods.txt
>
> > Right now, I'm using both "alert" and "log".  Does it matter which is listed
> > first in the snort.conf?
>
> Snort reads the .conf from the top down.  So if log is first, it will "log"
> first.  If alert is, then it "alerts" first.
>
> Now, the question you seem to be asking is "Will it matter to the DB as what
> I've order I have them in?"  In the last paragraph of that email Marty sums it
> up:  "What this means in practical terms is that if the db plugin is in alert
> mode, it will only receive output from alert rules, whereas if it's in 'log'
> mode it will receive output from both log and alert rules."
>
> > Thanks for all the help, BTW.
>
> No problems!  They don't call me the 'Snort Janitor' for nothing. ;-)
>
> Hope it helps!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users