Snort mailing list archives
Re: Alerts, Logged and Passed
From: Clayton Mascarenhas <masclaythesnort () yahoo com>
Date: Fri, 28 Feb 2003 15:08:45 -0800 (PST)
Erek... one last doubt.. I am sorry for bugging you like this and being so slow to understand..... but just this one last doubt...the final doubt... .. You said... You: If you have 3003 items that got to the 'Alert' facility, you will have 3003 alerts. If you have 494 items that go to the 'Log' facility, you will have 494 log entries. My doubt..... that means the 3003 alerts will be in the alert file..... but where are the 494 log entries?? in which file?? You: If you have _both_ you will have 3003 alerts, 494 logged, and the output will contain 3497 bits of packet info. My doubt..... does this mean the alert file will have 3497 entries?? You: Examine your rules file(s). Look for "log" and "alert" grep 'log' *.rules (This should generate 0 unless you have customized rules.) grep 'alert' *.rules (This will generate a lot of them.) My doubt ... yes you are absolutely correct.But since I got 0 when I grep 'log' *.rules ... how come in some situations I get alert = 0 and log = 6 ...because there are no rules that start with Log. Clayton Mascarenhas Erek Adams <erek () snort org> wrote:On Fri, 28 Feb 2003, Clayton Mascarenhas wrote:
Thankyou so much Erek for your help and more importantly your valuable time. So just to double check....from what I understand ...... when I get Alerts = 6 , Logged = 6... that means the rule(s) that got triggered started with the "alert" option. And when I got Alerts = 0, Logged = 6, that means the rule(s) that got triggered started with the "Log" option. However when I get Alerts = 6, Logged = 0 that means the preprocessor got triggered which only sends alerts and does not log. Correct??
Examine your rules file(s). Look for "log" and "alert" grep 'log' *.rules (This should generate 0 unless you have customized rules.) grep 'alert' *.rules (This will generate a lot of them.) If the packets were alerted on or logged, have a look at them and see what rule they match. 'snort -vdr ' If a packet is alerted on, it _will_ be logged. The one thing you need to understand is that the number of 'alert' vs. 'log' entries into the stat output only refers to the facility by which it was invoked. If you have 3003 items that got to the 'Alert' facility, you will have 3003 alerts. If you have 494 items that go to the 'Log' facility, you will have 494 log entries. If you have _both_ you will have 3003 alerts, 494 logged, and the output will contain 3497 bits of packet info.
Thankyou so much again Erek for your guidance.
*pfffttt* I just do what I can. :) ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --------------------------------- Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, and more
Current thread:
- Alerts, Logged and Passed Clayton Mascasrenhas (Feb 28)
- Re: Alerts, Logged and Passed Erek Adams (Feb 28)
- Re: Alerts, Logged and Passed Clayton Mascarenhas (Feb 28)
- Re: Alerts, Logged and Passed Erek Adams (Feb 28)
- Re: Alerts, Logged and Passed Clayton Mascarenhas (Feb 28)
- Re: Alerts, Logged and Passed Erek Adams (Feb 28)
- Re: Alerts, Logged and Passed Clayton Mascarenhas (Feb 28)
- Re: Alerts, Logged and Passed Erek Adams (Feb 28)