Snort mailing list archives
Logging without alerting
From: JBFRYE () UP COM
Date: Thu, 12 Dec 2002 16:00:33 -0600
My understanding of the output facilities in Snort ( 1.87 ) is that there are two, logging and alerting. The alerting facility exists to let you know that something interesting has happened. The logging facility exists to log full packet information to the output format (pcap, ascii, database, etc). The "alert" action is hard coded to do two things, write an event to the alert facility and log to the output facility. The "log" action logs the current packet to the logging facility without generating an alert. This led me to believe alerting could be turned off ( -A none ) and I would still see all the events in the binary log. Comparing an alert file generated from the binary log ( rerun through Snort same rule set ) to one generated by Snort on the first pass are not the same ( events are missing from the binary log that are present in the alert file ). Are my assumptions on the Snort output facilities incorrect or is this behavior a bug. FYI: I'm running four sensors that are logging binary format. The binary is retrieved from the remote sensors every 30 min. and brought down to a central Snort which processes the file and inserts the alerts into an Oracle table. The Snort startup command on the remote sensors is: /usr/local/snort/bin/snort -c /usr/local/snort/rules/snort.conf -D -i hme1 -A none -u ddsa992 -g dsagrp -b The Snort command on the Snort master is: /usr/local/snort/bin/snort -c /usr/local/snort/rules/sensor1.conf -r /opt/log/sensor1/name_of_binary_log Jayme Frye ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logging without alerting JBFRYE (Dec 12)
- <Possible follow-ups>
- RE: Logging without alerting L. Christopher Luther (Dec 13)
- RE: Logging without alerting JBFRYE (Dec 13)