[Snort-users] Log vs. Alert --end the confusion!

Chris Green cmg at ...1935...
Mon Aug 12 15:11:01 EDT 2002

Steve Halligan <giermo at ...187...> writes:

> Ok, lets start with some definitions:
> Alert:  Generate an alert for a packet.  This is meant for events that are
> considered "high priority".  Most signatures have this as their default
> action.  After the alert is generated, the event is also logged.  Note that
> payload is not captured in an alert.  If you want to investigate further,
> look at the log output of the event corresponding to the alert.

Alert means to generate a textual message saying this event occured
and to log it to the logging subsystem.

> Log:  Log the event.  Meant for less important event, and also to capture
> additional data from alert events that may be needed for further
> investigation.

Log means to log the packet that matches this event. 

> Ok, those definitions may not be exactly right, but I think that they catch
> the drift of things.  My problem is the following inconsistancy relating to
> ALERT and its use by preprocessors.
> Let me use portscan2 as an example, however this also applies to fnord and
> possibly others.

As you've probably noticed, the logging subsytem doesn't do very well
on many->one alerts. This is a "tobe fixed". :)

> 1)  Calls alert, but never logs.  Therefore no way to get payload data.  
Should probably give it the singluar packet data.  Oversight noted. :)

> 2)  Why are these using Alert in the first place.  Portscans seem low
> priority.  Wouldn't they be better in log?

The textual info that says they happend is alog.

> As an aside.  I would like to put my vote in for a single generic message
> from portscan2.  As it is, the msg looks like this "Portscan detected from
> a.b.c.d blah blah blah".  For those of us that use a database, this adds a
> unique signature for each and every portscan.  In addition to clogging up
> the signature table, it frustrates signature based queries.  Why put the ip
> in the message?  You can see it in the ip addr field anyway.  If you need to
> know the number of ports/hosts, you can look in the scan.log.

Yeah... This makes sense.  I'll add that.  Thanks for reminding me on
mail instead of IRC.

More information about the Snort-users mailing list