Re: Alerts, Logged and Passed

[Clayton Mascarenhas <masclaythesnort () yahoo com>]

Hi,
Thankyou so much Erek for your help and more importantly your valuable time. So just to double check....from what I 
understand ...... when I get Alerts = 6 , Logged = 6... that means the rule(s) that got triggered started with the 
"alert" option. And when I got Alerts = 0, Logged = 6, that means the rule(s) that got triggered started with the "Log" 
option. However when I get Alerts = 6, Logged = 0 that means the preprocessor got triggered which only sends alerts and 
does not log. Correct?? 
Thankyou so much again Erek for your guidance.
Clayton Mascarenhas
 Erek Adams <erek () snort org> wrote:On Fri, 28 Feb 2003, Clayton Mascasrenhas wrote:

> After I run snort... a summary shows up saying Alerts = 6 , Logged = 6,
> Passed = 0. When I open my alert file that is generated I see 6 alerts
> there. Then for another data file when I run snort I get Alerts = 4 ,
> Logged = 0, Passed = 0. Now when I open my alert file I see 4 alerts
> inspite of them telling me Logged = 0. So what does that mean??.. that
> "Logged" word.. does it represent anything?? Sometimes I get Alert = 8
> and Logged = 14... here they say a number greater than that alerted...
> which throws me completely off. Now I am really confused. I did read
> Marty's article at
> http://www.theadamsfamily.net/~erek/snort/logging_methods.txt but I
> still am not so clear. Please can someone help me out here.
>
> I also noticed that when in the summary they say Alerts = some number X
> and Logged = some number Y which is not equal to X ... then the scan
> file generated has something in it.... otherwise there is nothing in it.
> What is this scan file?? Does it have anything to do with the Logged and
> Alert things. Please could someone help me out and clarify this for me.

Quite simply, the two are tottaly different, and what you are seeing is
expected depending on your rules.

[Note: In the following 'file' means "any way that Snort is configured to
log" with that would be a DB, flat file, pcap, or whatever.]

If the rule starts with 'alert' then it will alert to a file and log to a
file the packet--But that's in no way the same as the 'log' keyword.

If the rule starts with 'log' then it will log to a file and _not_ alert.


Basically, there are two "buckets"--Alert and Log. When a packet is
flagged as an alert, it goes into the Alert bucket. When the alert is
done, then that same packet goes into the Log bucket so that the packet is
not only alerted on, but logged to as well. If the packet is
thrown into the Log bucket, then it is simply written to 
without an alert firing.

Does that make more sense?

Cheers!

-----
Erek Adams

"When things get weird, the weird turn pro." H.S. Thompson


---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, and more