Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alerts, Logged and Passed

From: Erek Adams <erek () snort org>
Date: Fri, 28 Feb 2003 18:30:50 -0500 (EST)
On Fri, 28 Feb 2003, Clayton Mascarenhas wrote:



Erek... one last doubt.. I am sorry for bugging you like this and being
so slow to understand..... but just this one last doubt...the final
doubt... .. You said... You: If you have 3003 items that got to the
'Alert' facility, you will have 3003 alerts. If you have 494 items that
go to the 'Log' facility, you will have 494 log entries.

My doubt..... that means the 3003 alerts will be in the alert file.....
but where are the 494 log entries?? in which file??

You: If you have _both_ you will have 3003 alerts, 494 logged, and the
output will contain 3497 bits of packet info.

My doubt..... does this mean the alert file will have 3497 entries??

You: Examine your rules file(s). Look for "log" and "alert" grep 'log'
*.rules (This should generate 0 unless you have customized rules.) grep
'alert' *.rules (This will generate a lot of them.)

My doubt ... yes you are absolutely correct.  But since I got 0 when I
grep 'log' *.rules ... how come in some situations I get alert = 0 and
log = 6 ...because there are no rules that start with Log.


The way it works:

If you have an alert....

        "Alert Facility" -->  "Log Facility"  --> <whatever output>

But it _only_ counts as an "Alert", not a "Log".

If you have a log....
        "Log Facility" --> <whatever output>

And it only counts as a "Log".

Think of two containers.  One, "Alert" is above the other.  Two, "Log" is
below #1.  Items from #1 (alert) spill over into #2 (log).  From container
#2 the items go to <whatever>.

So....

  You can put items into #1.  Once they go in, they go to #2.

  You can put items into #2.  Once they go in, they go to <wherever>.

  If an item goes into #1, it then goes to #2, and then to <wherever>.

  If an item _only_ goes into #2, then it just goes to <wherever>.


Is that any better?  :)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: