Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Log vs. Alert --end the confusion!

From: Chris Green <cmg () sourcefire com>
Date: Mon, 12 Aug 2002 18:04:06 -0400
Steve Halligan <giermo () geeksquad com> writes:


Ok, lets start with some definitions:

Alert:  Generate an alert for a packet.  This is meant for events that are
considered "high priority".  Most signatures have this as their default
action.  After the alert is generated, the event is also logged.  Note that
payload is not captured in an alert.  If you want to investigate further,
look at the log output of the event corresponding to the alert.



Alert means to generate a textual message saying this event occured
and to log it to the logging subsystem.


Log:  Log the event.  Meant for less important event, and also to capture
additional data from alert events that may be needed for further
investigation.


Log means to log the packet that matches this event. 



Ok, those definitions may not be exactly right, but I think that they catch
the drift of things.  My problem is the following inconsistancy relating to
ALERT and its use by preprocessors.

Let me use portscan2 as an example, however this also applies to fnord and
possibly others.


As you've probably noticed, the logging subsytem doesn't do very well
on many->one alerts. This is a "tobe fixed". :)



1)  Calls alert, but never logs.  Therefore no way to get payload data.  

e
Should probably give it the singluar packet data.  Oversight noted. :)



2)  Why are these using Alert in the first place.  Portscans seem low
priority.  Wouldn't they be better in log?


The textual info that says they happend is alog.


As an aside.  I would like to put my vote in for a single generic message
from portscan2.  As it is, the msg looks like this "Portscan detected from
a.b.c.d blah blah blah".  For those of us that use a database, this adds a
unique signature for each and every portscan.  In addition to clogging up
the signature table, it frustrates signature based queries.  Why put the ip
in the message?  You can see it in the ip addr field anyway.  If you need to
know the number of ports/hosts, you can look in the scan.log.



Yeah... This makes sense.  I'll add that.  Thanks for reminding me on
mail instead of IRC.


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: