Snort mailing list archives
Re: Alerts vs. logged
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 10 May 2006 20:09:29 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Vidar,The alerts and logged values are based on the number of alerts generated and the number of packets logged. It is possible to have alerts which have no logs just as it is possible to log packets without alerting, so we maintain separate counters for the summary data.
-Marty On Apr 12, 2006, at 7:50 AM, Vidar Evenrud Seeberg wrote:
Hello gurus!This may be a simple question, but I need to get my thoughts confirmed:When Ctrl-C Snort shows a summary page where among else ALERTS andLOGGED numbers are presented. Am I right when I interpret these numbers as LOGGED being all true positives and false negatives detected by Snort and ALERTS being all unique types of attacks detected? E.g. 5 detections of attack 1, 3 detections of attack 2 and 4 detections of attack 3 gives3 ALERTS and 12 LOGGED.I know that there may be log-rules present in the rule set. However, inmy data set only HTTP traffic are present and all rules enabled are alert-rules. No log-rules are present. Looing forward to an answer. Regards Vidar S. -------------------------------------------------------Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEYoC5qj0FAQQ3KOARAvezAJ9EV/o45v77HXdwtbl8JLwkTynFEwCfcvMg QlnKwSQ2yWRjCBVQ02ssGls= =oAg1 -----END PGP SIGNATURE----- ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerts vs. logged Vidar Evenrud Seeberg (May 10)
- Re: Alerts vs. logged Martin Roesch (May 10)