[Snort-users] Output plugins -differences betweenloggingmethods?

Actually I wasn't having a go at you, I just hoped someone else might be
able to provide a more considered answer...

No offence taken



On Sat, 2002-01-26 at 13:00, Bob Walder wrote:
> Whilst we have had far too many questions that could have been answered by
> RTFM recently, I do not believe this is one of them.
Generally I like ppl to do as I did/do/will forever be doing: do
homework (manpages, FAQ, documentation, list archives, usenet) then ask.
If I appeared as being harsh at this poster, so I apologize to every
single person who felt offended. What put me in "./configure --RTFM"
mode is the stupid HTML format we keep receiving in this mailing list.
My evolution mail client doesn't like it much nor do different
console-mode email clients I use to stroll thru mail quickly.

> Read his original question carefully, the re-read that section of the FAQ
> you quoted - it doesn't answer it.
> He is asking "since both LOG and ALERT appear to be producing the same
> output, why should I use both of them? Except, if I only use LOG then I
> miss port scans....but if I only use ALERT, will I get full packet
> contents....? etc, etc, etc"
I saw that. I answered that way to give him hints as to where to look (I
ended the message w/ a URL to search the archives). Anyways, the quoted
snippet surely looks cryptic. At least, it breaks down his initial pb to
understand: what is the difference between an alert plugin & a log
plugin ? So here we have de-coupled the question from the
database/not-database problem. It then make sense if one tries both
(alert & log) one a time & output to a straight file for example to see
the real difference. But maybe I'm completely mistaken since I'm short
on grapefruits these days :p

> A common question in my experience but not one I feel qualified to answer
> succinctly

I hope no harm is done no one did take offense.

> On Fri, 2002-01-25 at 17:39, Rockoff, Dan wrote:
> > I have successfully set up snort logging to a MySql database, and it has
> > been running fine for over a month now with no problems.
> >
> > I am curious however what the differences are between the "output
> database:
> > log, and output database: alert" functions.
> >
> > If I have both enabled, it looks like I get duplicate data for most hits
> > with the exception of portscans.
> >
> > Should I just use alert, or am I losing something by not using the "log"
> > facility?
> Taken from
> http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5:
> Furthermore, there is a logging method and database type that must be
> defined. There are two logging types available, log and alert. Setting
> the type to log attaches the database logging functionality to the log
> facility within the program. If you set the type to log, the plugin will
> be called on the log output chain. Setting the type to alert attaches
> the plugin to the alert output chain within the program.
> Please see the documentation & FAQ on http://www.snort.org. They are
> pretty well written & you should find answers to a lot of questions that
> you may have before posting to this list. A good idea will be also to
> search the archives at:
> http://marc.theaimsgroup.com

