Snort mailing list archives
Re: Alerts, Logged and Passed
From: Clayton Mascarenhas <masclaythesnort () yahoo com>
Date: Fri, 28 Feb 2003 13:01:27 -0800 (PST)
Hi, Thankyou so much Erek for your help and more importantly your valuable time. So just to double check....from what I understand ...... when I get Alerts = 6 , Logged = 6... that means the rule(s) that got triggered started with the "alert" option. And when I got Alerts = 0, Logged = 6, that means the rule(s) that got triggered started with the "Log" option. However when I get Alerts = 6, Logged = 0 that means the preprocessor got triggered which only sends alerts and does not log. Correct?? Thankyou so much again Erek for your guidance. Clayton Mascarenhas Erek Adams <erek () snort org> wrote:On Fri, 28 Feb 2003, Clayton Mascasrenhas wrote:
After I run snort... a summary shows up saying Alerts = 6 , Logged = 6, Passed = 0. When I open my alert file that is generated I see 6 alerts there. Then for another data file when I run snort I get Alerts = 4 , Logged = 0, Passed = 0. Now when I open my alert file I see 4 alerts inspite of them telling me Logged = 0. So what does that mean??.. that "Logged" word.. does it represent anything?? Sometimes I get Alert = 8 and Logged = 14... here they say a number greater than that alerted... which throws me completely off. Now I am really confused. I did read Marty's article at http://www.theadamsfamily.net/~erek/snort/logging_methods.txt but I still am not so clear. Please can someone help me out here. I also noticed that when in the summary they say Alerts = some number X and Logged = some number Y which is not equal to X ... then the scan file generated has something in it.... otherwise there is nothing in it. What is this scan file?? Does it have anything to do with the Logged and Alert things. Please could someone help me out and clarify this for me.
Quite simply, the two are tottaly different, and what you are seeing is expected depending on your rules. [Note: In the following 'file' means "any way that Snort is configured to log" with that would be a DB, flat file, pcap, or whatever.] If the rule starts with 'alert' then it will alert to a file and log to a file the packet--But that's in no way the same as the 'log' keyword. If the rule starts with 'log' then it will log to a file and _not_ alert. Basically, there are two "buckets"--Alert and Log. When a packet is flagged as an alert, it goes into the Alert bucket. When the alert is done, then that same packet goes into the Log bucket so that the packet is not only alerted on, but logged to as well. If the packet is thrown into the Log bucket, then it is simply written to without an alert firing. Does that make more sense? Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --------------------------------- Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, and more
Current thread:
- Alerts, Logged and Passed Clayton Mascasrenhas (Feb 28)
- Re: Alerts, Logged and Passed Erek Adams (Feb 28)
- Re: Alerts, Logged and Passed Clayton Mascarenhas (Feb 28)
- Re: Alerts, Logged and Passed Erek Adams (Feb 28)
- Re: Alerts, Logged and Passed Clayton Mascarenhas (Feb 28)
- Re: Alerts, Logged and Passed Erek Adams (Feb 28)
- Re: Alerts, Logged and Passed Clayton Mascarenhas (Feb 28)
- Re: Alerts, Logged and Passed Erek Adams (Feb 28)