[Snort-users] log and alert difference

Jed Pickel jed at ...153...
Thu Oct 5 13:21:48 EDT 2000


> A simple question:
> 
> What's the difference between log and alert in the log_database plugin?

A not so simple answer:  :)

Snort currently has two logging facilities that are hardcoded (log and
alert). You can specify different types of rules based on these
logging facilities.

For example --- 
You may want to log all ICMP destination unreachables but only be
alerted on something more severe; so say you have the following rules.

log icmp !$HOME_NET any <> $HOME_NET any (msg:"ICMP Destination Unreachable"; itype:3;) 
alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00 Attacker to Master";flags:PA; content:"killme";)
 
In this case if you had your database plugin connected to the alert
facility, the database would only contain instances of the "DDoS -
Trin00 Attacker to Master" and no instances "ICMP Destination
Unreachable rule".

The "log" facility on the other hand will catch _both_ alert and log
rules so you will see instances of both. In 99% of the places the
database plugin is run, you will likely want to have it connected to
the "log" facility.

Nevertheless, there are a few people that wanted to have the database
only connected to the "alert" facility. So the decision to add this
configuration parameter was to enable maximum configuration options
and prevent the need to create an entirely new plugin for those
special cases where people want the plugin connected to "alert".

Currently for an output plugin to connect to the core snort engine it
must be configured to connect to either the log or alert facility.
This is a temporary situation because logging facilities will likely
move to be defined in configuration files rather than being
hardcoded. At that time there will no longer be a need for this
configuration parameter.

* Jed



More information about the Snort-users mailing list