Snort mailing list archives
RE: Logging without alerting
From: JBFRYE () UP COM
Date: Fri, 13 Dec 2002 13:44:50 -0600
Yes I've seen this post. As I interpret it, the "alert" rule action should
send a message to the alerting facility and the logging facility. All the
rules I use, make use of the alert action. I see this as meaning every
event that matches a rule utilizing the alert action should send the packet
to the logging facility and the alerting facility ( which is not enabled in
my config ). What I'm seeing is that some alerts don't generate a
corresponding packet in the log. Testing yesterday indicates this is true
with 1.9 as well as 1.87.
Jayme Frye
UPRR
Data Security
271-3970
"L. Christopher
Luther" To: "'JBFRYE () UP COM'" <JBFRYE () UP COM>
<CLuther@Xybernau cc: "Snort-Users (E-mail)" <snort-users () lists sourceforge net>
t.com> Subject: RE: Logging without alerting
12/13/02 12:26 PM
Check out this post, courtesy of Erek Adams (mailto:erek () theadamsfamily net
):
http://www.theadamsfamily.net/~erek/snort/logging_methods.txt
Maybe this will help.
- Christopher
-----Original Message-----
To: snort-users () lists sourceforge net
From: JBFRYE () UP COM
Date: Thu, 12 Dec 2002 16:00:33 -0600
Subject: [Snort-users] Logging without alerting
My understanding of the output facilities in Snort ( 1.87 ) is that there
are two, logging and alerting. The alerting facility exists to let you know
that something interesting has happened. The logging facility exists to
log full packet information to the output format (pcap, ascii, database,
etc). The "alert" action is hard coded to do two things, write an event to
the alert facility and log to the output facility. The "log" action logs
the current packet to the logging facility without generating an alert.
This led me to believe alerting could be turned off ( -A none ) and I
would still see all the events in the binary log. Comparing an alert file
generated from the binary log ( rerun through Snort same rule set ) to one
generated by Snort on the first pass are not the same ( events are missing
from the binary log that are present in the alert file ). Are my
assumptions on the Snort output facilities incorrect or is this behavior a
bug.
FYI: I'm running four sensors that are logging binary format. The binary is
retrieved from the remote sensors every 30 min. and brought down to a
central Snort which processes the file and inserts the alerts into an
Oracle table.
The Snort startup command on the remote sensors is:
/usr/local/snort/bin/snort -c /usr/local/snort/rules/snort.conf
-D -i hme1 -A none -u ddsa992 -g dsagrp -b
The Snort command on the Snort master is:
/usr/local/snort/bin/snort -c
/usr/local/snort/rules/sensor1.conf -r /opt/log/sensor1/name_of_binary_log
Jayme Frye
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logging without alerting JBFRYE (Dec 12)
- <Possible follow-ups>
- RE: Logging without alerting L. Christopher Luther (Dec 13)
- RE: Logging without alerting JBFRYE (Dec 13)