Snort mailing list archives
Re: Spade ---What gives
From: <bthaler () webstream net>
Date: Wed, 13 Mar 2002 14:16:58 -0500
Geez! Now I'm really confused! Read this statement by Marty: "What this means in practical terms is that if the db plugin is in alert mode, it will only receive output from alert rules, whereas if it's in "log" mode it will receive output from both log and alert rules." This means that the database output plugin, configured to run in "log" mode will write both "alert" and "log" output to the database, right? So if this is true, then why does the output plugin need to be set to "alert" to capture spp_portscan and evidently spp_anomsensor? I may be missing something obvious here, but this doesn't make sense to me. If "log" logs both "alert" and "log" (does that make sense?), then we should see spp_portscan (and with it spp_anomsensor) with the output plugin set to "log" but we don't, so this must not be completely true. Please forgive my ignorance... On another note, I noticed that many of the fancier features of snort are dependant on the "alert" facility, which writes those pesky "alert" files to my HD, as well as those IP Address directories. I was under the impression that maximum performance/attack information would be achieved by having Snort output to a database on a remote host, as opposed to a local database or local logfiles. When I use the "alert" facility combined with the database output plugin, I still get the "alert", etc. files written locally. I understand that this is not a "bug" per se, but is just the way Snort works, but it seems counter-intuitive to me. I mean I'm going through all the trouble of maintaining a separate machine just to run MySQL and maximize performance, and Snort insists on writing files locally. This not only hinders performance, buy could be used as a way to DOS snort with "noise" filling my sensor's HD. I need to run IDS on a 45Mb connection, so I need all the performance I can get. At the same time, I need as much information about incoming attacks as possible. I realize that this is a compromise, but it seems that Snort is "wasting" performance by writing these files, at least in my situation, since all of that info is already in the database. Anyway, this is just my perspective...Let me know if I'm missing something here. Sincerely, Brad T. ----- Original Message ----- From: "Erek Adams" <erek () theadamsfamily net> To: <bthaler () webstream net> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, March 13, 2002 1:25 PM Subject: Re: [Snort-users] Spade ---What gives
On Wed, 13 Mar 2002 bthaler () webstream net wrote:Just to confirm, because neither FAQ is clear on this: I can have both: output database: alert, mysql, user=snort, dbname=snort_log host=localhost password=foo output database: log, mysql, user=snort, dbname=snort_log host=localhost password=foo at the same time, right?Right. What does make it a bit clearer is the Snort Users Manual (in both HTML and PDF on snort.org).I changed my "log" to "alert" and the number of alerts dropped from about 1000 per hour to about 200... So I'm assuming that "alert" doesn't include "log".Well.... There is a difference. This should explain it: http://www.theadamsfamily.net/~erek/snort/logging_methods.txtRight now, I'm using both "alert" and "log". Does it matter which is listed first in the snort.conf?Snort reads the .conf from the top down. So if log is first, it will "log" first. If alert is, then it "alerts" first. Now, the question you seem to be asking is "Will it matter to the DB as what I've order I have them in?" In the last paragraph of that email Marty sums it up: "What this means in practical terms is that if the db plugin is in alert mode, it will only receive output from alert rules, whereas if it's in 'log' mode it will receive output from both log and alert rules."Thanks for all the help, BTW.No problems! They don't call me the 'Snort Janitor' for nothing. ;-) Hope it helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Spade ---What gives bthaler (Mar 12)
- Re: Spade ---What gives James Hoagland (Mar 12)
- Re: Spade ---What gives bthaler (Mar 13)
- Re: Spade ---What gives bthaler (Mar 13)
- Re: Spade ---What gives Erek Adams (Mar 13)
- Re: Spade ---What gives bthaler (Mar 13)
- Re: Spade ---What gives Erek Adams (Mar 13)
- Re: Spade ---What gives bthaler (Mar 13)
- Re: Spade ---What gives Erek Adams (Mar 13)
- Re: Spade ---What gives bthaler (Mar 13)
- Re: Alerts, Logs and DB's--Oh My! Erek Adams (Mar 13)
- Re: Spade ---What gives James Hoagland (Mar 12)