'Re: [Snort-users] Alerts, Logged and Passed'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] Alerts, Logged and Passed
From:       Erek Adams <erek () snort ! org>
Date:       2003-02-28 23:30:50
[Download RAW message or body]

On Fri, 28 Feb 2003, Clayton Mascarenhas wrote:

>
> Erek... one last doubt.. I am sorry for bugging you like this and being
> so slow to understand..... but just this one last doubt...the final
> doubt... .. You said... You: If you have 3003 items that got to the
> 'Alert' facility, you will have 3003 alerts. If you have 494 items that
> go to the 'Log' facility, you will have 494 log entries.
>
> My doubt..... that means the 3003 alerts will be in the alert file.....
> but where are the 494 log entries?? in which file??
>
> You: If you have _both_ you will have 3003 alerts, 494 logged, and the
> output will contain 3497 bits of packet info.
>
> My doubt..... does this mean the alert file will have 3497 entries??
>
> You: Examine your rules file(s). Look for "log" and "alert" grep 'log'
> *.rules (This should generate 0 unless you have customized rules.) grep
> 'alert' *.rules (This will generate a lot of them.)
>
> My doubt ... yes you are absolutely correct.  But since I got 0 when I
> grep 'log' *.rules ... how come in some situations I get alert = 0 and
> log = 6 ...because there are no rules that start with Log.

The way it works:

If you have an alert....

	"Alert Facility" -->  "Log Facility"  --> <whatever output>

But it _only_ counts as an "Alert", not a "Log".

If you have a log....
	"Log Facility" --> <whatever output>

And it only counts as a "Log".

Think of two containers.  One, "Alert" is above the other.  Two, "Log" is
below #1.  Items from #1 (alert) spill over into #2 (log).  From container
#2 the items go to <whatever>.

So....

  You can put items into #1.  Once they go in, they go to #2.

  You can put items into #2.  Once they go in, they go to <wherever>.

  If an item goes into #1, it then goes to #2, and then to <wherever>.

  If an item _only_ goes into #2, then it just goes to <wherever>.


Is that any better?  :)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic