Snort mailing list archives
RE: Question about Snort/ACID/MySQL and how they play together
From: "Michael Steele" <michaels () silicondefense com>
Date: Fri, 25 Apr 2003 11:39:25 -0700
All, This was a conversation that I was having with Erek on the difference between log and alert. It seems that Erek in indisposed as there have been no posts from him :(, so I'll throw it out to the masses and maybe I someone can enlighten me? This is an excerpt from a previous message from Erek. His response seems to contradict my tests. Could my testing skewed in some way? ----------\ Alert only does alert whereas log does alert and log. It's confusing since there are both named the same, but seem to have different meanings in the db plug-in. Remember how you need to have 'log' to get output from the portscan(2) preprocessor into ACID? ----------/ Ok, I have tested three settings and this is what I have come up with: I cleaned out the log folder prior to each test and restarted Snort at the appropriate times to get the IDS back up and fully functioning. Test 1) Using 'output database alert' and 'output database log' in my snort.conf file. Then I ran a scan on the IDS. Result of scan: Logged all traffic including portscans to MySQL. In the log folder: Only portscan.log created. Test 2) Using the 'output database log' only in my snort.conf file. Then I ran a scan on the IDS. Result of scan: Logged all traffic except portscans to MySQL. In the log folder: Only portscan.log created. Test 3) Using the 'output database alert' only in my snort.conf file. Then I ran a scan on the IDS. Result of scan: Logged all traffic including portscans to MySQL. In the log folder: Portscan.log was created along with folders with an IP as folder name with logs inside each folder. Out of all three tests, no /log/alert.ids file created. Test 1 logs everything to MySQL, including creating the portscan.log file, but no log file was created by alerts that were triggered by rules. Test 2 is not an option if you want to log portscans to the MySQL database. Test 3 logs everything to MySQL, including creating the portscan.log file, and it also creates logs in /log/<IP>/ from alerts that were triggered by rules. What is the difference between Test 1 and Test 2 as far as the end results? Are they both doing the exact same thing except Test 3 is creating the log files? I thought I had this all down, but for some reason it's not clicking. It looks like what Erek told me contradicts what my test are coming up with. Thank you... Michael ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about Snort/ACID/MySQL and how they play together Snow Jacob C KPWA (Apr 23)
- RE: Question about Snort/ACID/MySQL and how they play together Michael Steele (Apr 23)
- Re: Question about Snort/ACID/MySQL and how they play together Erek Adams (Apr 24)
- <Possible follow-ups>
- Question about Snort/ACID/MySQL and how they play together Snow Jacob C KPWA (Apr 23)
- RE: Question about Snort/ACID/MySQL and how they play together Michael Steele (Apr 25)