Re: Alerts, Logged and Passed

[Clayton Mascarenhas <masclaythesnort () yahoo com>]

Erek... one last doubt.. I am sorry for bugging you like this and being so slow to understand..... but just this one 
last doubt...the final doubt... .. You said...
You: If you have 3003 items that got to the 'Alert' facility, you will have 3003 alerts. If you have 494 items that go 
to the 'Log' facility, you will have 494 log entries. 

My doubt..... that means the 3003 alerts will be in the alert file..... but where are the 494 log entries?? in which 
file??

You: If you have _both_ you will have 3003 alerts, 494 logged, and the output will contain 3497 bits of packet info.

My doubt..... does this mean the alert file will have 3497 entries??

You: Examine your rules file(s). Look for "log" and "alert"
grep 'log' *.rules (This should generate 0 unless you have customized rules.)
grep 'alert' *.rules (This will generate a lot of them.)

My doubt ... yes you are absolutely correct.But since I got 0 when I grep 'log' *.rules ... how come in some situations 
I get alert = 0 and log = 6 ...because there are no rules that start with Log.

Clayton Mascarenhas

 Erek Adams <erek () snort org> wrote:On Fri, 28 Feb 2003, Clayton Mascarenhas wrote:

> Thankyou so much Erek for your help and more importantly your valuable
> time. So just to double check....from what I understand ...... when I
> get Alerts = 6 , Logged = 6... that means the rule(s) that got triggered
> started with the "alert" option. And when I got Alerts = 0, Logged = 6,
> that means the rule(s) that got triggered started with the "Log" option.
> However when I get Alerts = 6, Logged = 0 that means the preprocessor
> got triggered which only sends alerts and does not log. Correct??

Examine your rules file(s). Look for "log" and "alert"

grep 'log' *.rules (This should generate 0 unless you have
customized rules.)
grep 'alert' *.rules (This will generate a lot of them.)

If the packets were alerted on or logged, have a look at them and see what
rule they match. 'snort -vdr '

If a packet is alerted on, it _will_ be logged.

The one thing you need to understand is that the number of 'alert' vs.
'log' entries into the stat output only refers to the facility by which it
was invoked. If you have 3003 items that got to the 'Alert' facility, you
will have 3003 alerts. If you have 494 items that go to the 'Log'
facility, you will have 494 log entries. If you have _both_ you will have
3003 alerts, 494 logged, and the output will contain 3497 bits of packet
info.

> Thankyou so much again Erek for your guidance.

*pfffttt* I just do what I can. :)

-----
Erek Adams

"When things get weird, the weird turn pro." H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, and more