Snort mailing list archives

Re: Events vs. Alerts

From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Date: Tue, 11 Feb 2014 15:14:15 +0000

Event Limit counts events not alerted due to event_filter limits.

Alert Limit counts events were not alerted because they already were triggered on the session.

-Nick

From: Thomas Hyslip <thomas.hyslip () gmail com<mailto:thomas.hyslip () gmail com>>
Date: Monday, February 10, 2014 7:32 PM
To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] Events vs. Alerts

not quite sure i understand the difference between an event and and alert.  I have a threshold within a rule for 25 syn 
packets every second (ddos) egressing the network.

I have tried different pcaps with tcpreplay to test the rule.  When i know there are more than 25 syn packets within a 
second, i see the alerts in barnyard2 and afterwards when i stop snort.  But, when I'm sure there are not 25 syns in 
one second, i get no alerts, but after stopping snort and barnyard, i see events were logged or filtered.

so, I am little confused what Snort means be an event that is not an alert.  Also, FYI, I have no other rules or 
pre-processors running.  Here is the output from snort

===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:          241
      Alert:            0
Verdicts:
      Allow:       722528 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
===============================================================================
+-----------------------[filtered events]--------------------------------------
| gen-id=1      sig-id=1000001    type=Threshold tracking=src count=25  seconds=1   filtered=241

Any idea what the 241 event and filtered could be?

Thanks
Tom

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Events vs. Alerts Thomas Hyslip (Feb 10)
- Re: Events vs. Alerts Nicholas Mavis (nmavis) (Feb 11)