Snort mailing list archives
Log vs. Alert --end the confusion!
From: Steve Halligan <giermo () geeksquad com>
Date: Mon, 12 Aug 2002 16:22:34 -0500
Ok, lets start with some definitions: Alert: Generate an alert for a packet. This is meant for events that are considered "high priority". Most signatures have this as their default action. After the alert is generated, the event is also logged. Note that payload is not captured in an alert. If you want to investigate further, look at the log output of the event corresponding to the alert. Log: Log the event. Meant for less important event, and also to capture additional data from alert events that may be needed for further investigation. Ok, those definitions may not be exactly right, but I think that they catch the drift of things. My problem is the following inconsistancy relating to ALERT and its use by preprocessors. Let me use portscan2 as an example, however this also applies to fnord and possibly others. 1) Calls alert, but never logs. Therefore no way to get payload data. If you use barnyard, in order to see these alerts you need to process the unified alert. If you do that, then none of your events have payload data. If you run 2 barnyard processes, one for log and one for alert, you get duplicates. I suppose you could have an alert database and then a log database for further investigation and correlation, but that seems silly. 2) Why are these using Alert in the first place. Portscans seem low priority. Wouldn't they be better in log? As an aside. I would like to put my vote in for a single generic message from portscan2. As it is, the msg looks like this "Portscan detected from a.b.c.d blah blah blah". For those of us that use a database, this adds a unique signature for each and every portscan. In addition to clogging up the signature table, it frustrates signature based queries. Why put the ip in the message? You can see it in the ip addr field anyway. If you need to know the number of ports/hosts, you can look in the scan.log. -Steve ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log vs. Alert --end the confusion! Steve Halligan (Aug 12)
- Re: Log vs. Alert --end the confusion! Chris Green (Aug 12)
- <Possible follow-ups>
- RE: Log vs. Alert --end the confusion! Williams Jon (Aug 13)
- Re: Log vs. Alert --end the confusion! Chris Green (Aug 13)