[Snort-devel] Proposal: New rule action, "info"

Martin Roesch roesch at ...402...
Fri Nov 2 07:53:05 EST 2001


Logging means logging the packet, it exists to give you the backing
information to determine whether something was a real attack or not, and
give you the forensic information to analyze attacks.  Alerting lets you
know that something interesting has happened and has been logged
(usually).  That comment is somewhat misleading I guess, using log_null
doesn't guarantee that an event will be generated, you can turn off
alerting as well.


     -Marty


Matthew Callaway wrote:
> 
> Thanks!
> 
> Just a note on semantics though.  In discussing "logging" and
> "alerting", I have found it a bit confusing.  Does "logging" mean
> "logging the alert string to syslog" or "logging the packet"?  Well, we
> all know that we mean packet logging, but it *is* confusing.  You might
> edit the "Purpose" string in the spo_log_null plugin to say:
> 
>  * This module is a NULL placeholder for people that want to turn off
>  * packet logging for whatever reason, while still sending alerts to
>  * the system logging facility.
> 
> Just a suggestion.
> 
> Matt
> 
> On Thu, 1 Nov 2001, Martin Roesch wrote:
> 
> > Ok, I just checked in spo_log_null, so you can now do this:
> >
> > ruletype info {
> >       type alert
> >       output alert_fast: info.alert
> >       output log_null
> > }
> >
> > and not have the packets logged.  It's a hack, but it's a prettier hack.
> > :)
> >
> >      -Marty
> >
> > Matthew Callaway wrote:
> > >
> > > In that case, I'll just hold off until development of 2.0 gets underway,
> > > and stick with my hack for now.
> > >
> > > Matt
> > >
> > > On Thu, 1 Nov 2001, Martin Roesch wrote:
> > >
> > > > That said, we're finally ready to begin development on Snort 2.0 and I
> > > > expect to do so starting in December.  Snort 2.0 will be a lot cleaner
> > > > than the current design, and when it's ready I think people will be
> > > > happy with the overall level of flexibility and power offered by the
> > > > second generation of the system.
> >
> > --
> > Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> > roesch at ...402... - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list