Snort mailing list archives
RE: Question about Snort/ACID/MySQL and how they pl ay together
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Fri, 25 Apr 2003 16:03:16 -0400
Michael, You are correct in you assessment that log-only to a database does not catch 'alerts' from the portscan preprocessors. I seem to remember a thread or two about the portscan preprocessors many months ago, and if I remember correctly, it went something like this:
The postscan preprocessors only generate output to the alert facility -- something to do with the non-standard output of the portscan preprocessors. Therefore, 'output database log' will not catch portscan preprocessor output; you need to use 'output database alert'. <<<<< IMHO, a post from Marty Roesch provided the best explanation of Snort output facilities [0]. I believe Erek's thought was that because an alert rule will trigger output to both the log and alert facilities, directing both of them to the same database would result in duplicate data. I've not tested this, but the logic seems true to me. Alert rules will generate output to the log facility *and* alert facility -- either facility can be directed to a database. That is, 'output database log' and 'output database alert', respectively. Log rules will only generate output to the log facility -- it too can be directed to a database. Therefore, 'output database alert' will not catch log rules; you need to use 'output database log'. All of this discussion was prior to Snort 2.0, so I don't know if anything has changed in recent days. HTH - Christopher [0] http://www.theadamsfamily.net/~erek/snort/logging_methods.txt -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Friday, April 25, 2003 2:39 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Question about Snort/ACID/MySQL and how they play together All, This was a conversation that I was having with Erek on the difference between log and alert. It seems that Erek in indisposed as there have been no posts from him :(, so I'll throw it out to the masses and maybe I someone can enlighten me? This is an excerpt from a previous message from Erek. His response seems to contradict my tests. Could my testing skewed in some way? ----------\ Alert only does alert whereas log does alert and log. It's confusing since there are both named the same, but seem to have different meanings in the db plug-in. Remember how you need to have 'log' to get output from the portscan(2) preprocessor into ACID? ----------/ Ok, I have tested three settings and this is what I have come up with: I cleaned out the log folder prior to each test and restarted Snort at the appropriate times to get the IDS back up and fully functioning. Test 1) Using 'output database alert' and 'output database log' in my snort.conf file. Then I ran a scan on the IDS. Result of scan: Logged all traffic including portscans to MySQL. In the log folder: Only portscan.log created. Test 2) Using the 'output database log' only in my snort.conf file. Then I ran a scan on the IDS. Result of scan: Logged all traffic except portscans to MySQL. In the log folder: Only portscan.log created. Test 3) Using the 'output database alert' only in my snort.conf file. Then I ran a scan on the IDS. Result of scan: Logged all traffic including portscans to MySQL. In the log folder: Portscan.log was created along with folders with an IP as folder name with logs inside each folder. Out of all three tests, no /log/alert.ids file created. Test 1 logs everything to MySQL, including creating the portscan.log file, but no log file was created by alerts that were triggered by rules. Test 2 is not an option if you want to log portscans to the MySQL database. Test 3 logs everything to MySQL, including creating the portscan.log file, and it also creates logs in /log/<IP>/ from alerts that were triggered by rules. What is the difference between Test 1 and Test 2 as far as the end results? Are they both doing the exact same thing except Test 3 is creating the log files? I thought I had this all down, but for some reason it's not clicking. It looks like what Erek told me contradicts what my test are coming up with. Thank you... Michael ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Question about Snort/ACID/MySQL and how they pl ay together L. Christopher Luther (Apr 23)
- <Possible follow-ups>
- RE: Question about Snort/ACID/MySQL and how they pl ay together L. Christopher Luther (Apr 25)