Snort mailing list archives

Events vs. Alerts

From: Thomas Hyslip <thomas.hyslip () gmail com>
Date: Mon, 10 Feb 2014 19:32:41 -0500

not quite sure i understand the difference between an event and and alert.
I have a threshold within a rule for 25 syn packets every second (ddos)
egressing the network.

I have tried different pcaps with tcpreplay to test the rule.  When i know
there are more than 25 syn packets within a second, i see the alerts in
barnyard2 and afterwards when i stop snort.  But, when I'm sure there are
not 25 syns in one second, i get no alerts, but after stopping snort and
barnyard, i see events were logged or filtered.

so, I am little confused what Snort means be an event that is not an
alert.  Also, FYI, I have no other rules or pre-processors running.  Here
is the output from snort

===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:          241
      Alert:            0
Verdicts:
      Allow:       722528 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
===============================================================================
+-----------------------[filtered
events]--------------------------------------
| gen-id=1      sig-id=1000001    type=Threshold tracking=src count=25
seconds=1   filtered=241

Any idea what the 241 event and filtered could be?

Thanks
Tom

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Events vs. Alerts Thomas Hyslip (Feb 10)
- Re: Events vs. Alerts Nicholas Mavis (nmavis) (Feb 11)