[Snort-users] Output plugins -differences between loggingmethods?

Saad Kadhi bsdguy at ...4401...
Sat Jan 26 04:10:07 EST 2002


On Sat, 2002-01-26 at 13:00, Bob Walder wrote:
> Whilst we have had far too many questions that could have been answered by
> RTFM recently, I do not believe this is one of them.
Generally I like ppl to do as I did/do/will forever be doing: do
homework (manpages, FAQ, documentation, list archives, usenet) then ask.
If I appeared as being harsh at this poster, so I apologize to every
single person who felt offended. What put me in "./configure --RTFM"
mode is the stupid HTML format we keep receiving in this mailing list.
My evolution mail client doesn't like it much nor do different
console-mode email clients I use to stroll thru mail quickly.


> 
> Read his original question carefully, the re-read that section of the FAQ
> you quoted - it doesn't answer it.
> 
> He is asking "since both LOG and ALERT appear to be producing the same
> output, why should I use both of them? Except, if I only use LOG then I will
> miss port scans....but if I only use ALERT, will I get full packet
> contents....? etc, etc, etc"
I saw that. I answered that way to give him hints as to where to look (I
ended the message w/ a URL to search the archives). Anyways, the quoted
snippet surely looks cryptic. At least, it breaks down his initial pb to
understand: what is the difference between an alert plugin & a log
plugin ? So here we have de-coupled the question from the
database/not-database problem. It then make sense if one tries both
(alert & log) one a time & output to a straight file for example to see
the real difference. But maybe I'm completely mistaken since I'm short
on grapefruits these days :p

> 
> A common question in my experience but not one I feel qualified to answer
> succinctly

I hope no harm is done no one did take offense. 

> 
> Regards,
> 
> Bob
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Saad Kadhi
> Sent: 25 January 2002 23:24
> To: Rockoff, Dan
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: Re: [Snort-users] Output plugins -differences between
> loggingmethods?
> 
> 
> [PLEASE DROP THE HTML EMAIL. THIS IS NOT NETIQUETTE-COMPLIANT]
> 
> On Fri, 2002-01-25 at 17:39, Rockoff, Dan wrote:
> > I have successfully set up snort logging to a MySql database, and it has
> > been running fine for over a month now with no problems.
> >
> > I am curious however what the differences are between the "output
> database:
> > log, and output database: alert" functions.
> >
> > If I have both enabled, it looks like I get duplicate data for most hits
> > with the exception of portscans.
> >
> > Should I just use alert, or am I losing something by not using the "log"
> > facility?
> Taken from
> http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5:
> Furthermore, there is a logging method and database type that must be
> defined. There are two logging types available, log and alert. Setting
> the type to log attaches the database logging functionality to the log
> facility within the program. If you set the type to log, the plugin will
> be called on the log output chain. Setting the type to alert attaches
> the plugin to the alert output chain within the program.
> 
> Please see the documentation & FAQ on http://www.snort.org. They are
> pretty well written & you should find answers to a lot of questions that
> you may have before posting to this list. A good idea will be also to
> search the archives at:
> http://marc.theaimsgroup.com
 
-- 
/Saad --  [bsdguy at ...4401...] 
[pgp keyid: 35592A6D http://pgp.mit.edu]
# buy a geek-in-a-can, point nozzle at technical problem and spray
# if desesperate degauss your screen. it might solve your pb as well





More information about the Snort-users mailing list