Re: Alerts, Logs and DB's--Oh My!

[Erek Adams <erek () theadamsfamily net>]

On Wed, 13 Mar 2002 bthaler () webstream net wrote:

> Geez! Now I'm really confused!

Great!  You'll fit right in here!  ;-)

> Read this statement by Marty:
> "What this means in practical terms is that if the db plugin
> is in alert mode, it will only receive output from alert rules, whereas
> if it's in "log" mode it will receive output from both log and alert
> rules."
>
> This means that the database output plugin, configured to run in "log" mode
> will write both "alert" and "log" output to the database, right?

It means it will write "alert" and "log" _RULES_ to the DB.  (More info below)

> So if this is true, then why does the output plugin need to be set to
> "alert" to capture spp_portscan and evidently spp_anomsensor?

In spp_portscan.c you have this line:

1559:    CallAlertFuncs(NULL, logMessage, NULL, &event);

Now, when it gets sent back to snort, snort sees that info as an Alert, not a
Log.

As for Spade, well...  I'm not much of a coder, but I'd be it's the same
reason.

> I may be missing something obvious here, but this doesn't make sense to me.
> If "log" logs both "alert" and "log" (does that make sense?), then we should
> see spp_portscan (and with it spp_anomsensor) with the output plugin set to
> "log" but we don't, so this must not be completely true.
>
> Please forgive my ignorance...

"Ignorance is cureable, stupidity is not."--My Calc teacher in college.  :)

Consider this:  When plugins were first built into snort, there wasn't a
lot of design in the framework.  Now there is.  IIRC, spp_portscan was the
first pre-processor that was written.  So you might see some wierd things
going on in it.

> On another note, I noticed that many of the fancier features of snort are
> dependant on the "alert" facility, which writes those pesky "alert" files to
> my HD, as well as those IP Address directories.
>
> I was under the impression that maximum performance/attack information would
> be achieved by having Snort output to a database on a remote host, as
> opposed to a local database or local logfiles.  When I use the "alert"
> facility combined with the database output plugin, I still get the "alert",
> etc. files written locally.  I understand that this is not a "bug" per se,
> but is just the way Snort works, but it seems counter-intuitive to me.  I
> mean I'm going through all the trouble of maintaining a separate machine
> just to run MySQL and maximize performance, and Snort insists on writing
> files locally.  This not only hinders performance, buy could be used as a
> way to DOS snort with "noise" filling my sensor's HD.

OK, consider using Barnyard and unified logging.  At the present, it's still
'beta' but works fairly well from what I hear/see.

> I need to run IDS on a 45Mb connection, so I need all the performance I can
> get.  At the same time, I need as much information about incoming attacks as
> possible.  I realize that this is a compromise, but it seems that Snort is
> "wasting" performance by writing these files, at least in my situation,
> since all of that info is already in the database.

Barnyard will become your friend.  There are some folks here on the list who
are doing a bit more than what you want.  Just have a look back over the
archives and grep for performance.  You'll get more than you ever wanted to
know. :)

> Anyway, this is just my perspective...Let me know if I'm missing something
> here.

Ummm...  Nope.  Seem to be doin fine! :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users