Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alerts vs. logged

From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 10 May 2006 20:09:29 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Vidar,
The alerts and logged values are based on the number of alerts generated and the number of packets logged. It is possible to have alerts which have no logs just as it is possible to log packets without alerting, so we maintain separate counters for the summary data. 

     -Marty

On Apr 12, 2006, at 7:50 AM, Vidar Evenrud Seeberg wrote:


Hello gurus!
This may be a simple question, but I need to get my thoughts confirmed: 

When Ctrl-C Snort shows a summary page where among else ALERTS and
LOGGED numbers are presented. Am I right when I interpret these numbers as LOGGED being all true positives and false negatives detected by Snort and ALERTS being all unique types of attacks detected? E.g. 5 detections of attack 1, 3 detections of attack 2 and 4 detections of attack 3 gives 
3 ALERTS and 12 LOGGED.
I know that there may be log-rules present in the rule set. However, in 
my data set only HTTP traffic are present and all rules enabled are
alert-rules. No log-rules are present.

Looing forward to an answer.

Regards
Vidar S.



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEYoC5qj0FAQQ3KOARAvezAJ9EV/o45v77HXdwtbl8JLwkTynFEwCfcvMg
QlnKwSQ2yWRjCBVQ02ssGls=
=oAg1
-----END PGP SIGNATURE-----


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: