Why the alert # in the snort final stat do not match the alert # in log?

[Lin.Zhong () Dartmouth EDU (Lin Zhong)]

Hi, Can anybody help me with this problem? 

I have defined my own version of alert_CSV, but when I examine the alert file generate and snort's final statistic 
output. I say a gap between the alert # in the alert file (491 alerts )and that shown in snort final stat output(494 
alerts and 494 logged). 

I wonder what cause this gap.

Could the 3 misery alerts be the alerts for the preprocessors. I saw the snort STERR output and find
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
I wonder whether these three alerts for for alert_large_fragments, alert_incomplete or alert_multiple_requests. 

But I don't know where these alerts go to... I couldn't find them in my log file.

Thank you very much

--
Lin


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users