[Snort-users] Log vs. Alert --end the confusion!
cmg at ...1935...
Mon Aug 12 15:11:01 EDT 2002
Steve Halligan <giermo at ...187...> writes:
> Ok, lets start with some definitions:
> Alert: Generate an alert for a packet. This is meant for events that are
> considered "high priority". Most signatures have this as their default
> action. After the alert is generated, the event is also logged. Note that
> payload is not captured in an alert. If you want to investigate further,
> look at the log output of the event corresponding to the alert.
Alert means to generate a textual message saying this event occured
and to log it to the logging subsystem.
> Log: Log the event. Meant for less important event, and also to capture
> additional data from alert events that may be needed for further
Log means to log the packet that matches this event.
> Ok, those definitions may not be exactly right, but I think that they catch
> the drift of things. My problem is the following inconsistancy relating to
> ALERT and its use by preprocessors.
> Let me use portscan2 as an example, however this also applies to fnord and
> possibly others.
As you've probably noticed, the logging subsytem doesn't do very well
on many->one alerts. This is a "tobe fixed". :)
> 1) Calls alert, but never logs. Therefore no way to get payload data.
Should probably give it the singluar packet data. Oversight noted. :)
> 2) Why are these using Alert in the first place. Portscans seem low
> priority. Wouldn't they be better in log?
The textual info that says they happend is alog.
> As an aside. I would like to put my vote in for a single generic message
> from portscan2. As it is, the msg looks like this "Portscan detected from
> a.b.c.d blah blah blah". For those of us that use a database, this adds a
> unique signature for each and every portscan. In addition to clogging up
> the signature table, it frustrates signature based queries. Why put the ip
> in the message? You can see it in the ip addr field anyway. If you need to
> know the number of ports/hosts, you can look in the scan.log.
Yeah... This makes sense. I'll add that. Thanks for reminding me on
mail instead of IRC.
More information about the Snort-users