[Snort-users] Output plugins -differences betweenloggingmethods?
roesch at ...1935...
Sat Jan 26 08:36:05 EST 2002
I'll chime in since I'm qualified to answer (I hope).
(everyone turn on your tape recorders, this is FAQ material)
Here's the deal:
There are two primary output facilities in Snort, logging and alerting.
The alerting facility exists to let you know that something interesting
has happened. The logging facility exists to log full packet
information to the output format (pcap, ascii, database, etc).
The "alert" action in Snort is hard coded to do two things when an event
is detected by Snort, write an event to the alert facility and log as
much as possible/desired to the output facility. The "log" action
merely logs the current packet to the logging facility without
generating an alert. This is done so you can log interesting things
(telnet sessions, whatever) without having to generate an alert on every
The database plugin is something of an anomaly because it doesn't
separate the two functionalities very much. The "log" option attaches
the log facility and the "alert" option attaches it to the alert
facility. What this means in practical terms is that if the db plugin
is in alert mode, it will only receive output from alert rules, whereas
if it's in "log" mode it will receive output from both log and alert
Bob Walder wrote:
> Actually I wasn't having a go at you, I just hoped someone else might be
> able to provide a more considered answer...
> No offence taken
> -----Original Message-----
> From: Saad Kadhi [mailto:bsdguy at ...4401...]
> Sent: 26 January 2002 12:08
> To: Bob Walder
> Cc: Snort Users
> Subject: RE: [Snort-users] Output plugins -differences
> On Sat, 2002-01-26 at 13:00, Bob Walder wrote:
> > Whilst we have had far too many questions that could have been answered by
> > RTFM recently, I do not believe this is one of them.
> Generally I like ppl to do as I did/do/will forever be doing: do
> homework (manpages, FAQ, documentation, list archives, usenet) then ask.
> If I appeared as being harsh at this poster, so I apologize to every
> single person who felt offended. What put me in "./configure --RTFM"
> mode is the stupid HTML format we keep receiving in this mailing list.
> My evolution mail client doesn't like it much nor do different
> console-mode email clients I use to stroll thru mail quickly.
> > Read his original question carefully, the re-read that section of the FAQ
> > you quoted - it doesn't answer it.
> > He is asking "since both LOG and ALERT appear to be producing the same
> > output, why should I use both of them? Except, if I only use LOG then I
> > miss port scans....but if I only use ALERT, will I get full packet
> > contents....? etc, etc, etc"
> I saw that. I answered that way to give him hints as to where to look (I
> ended the message w/ a URL to search the archives). Anyways, the quoted
> snippet surely looks cryptic. At least, it breaks down his initial pb to
> understand: what is the difference between an alert plugin & a log
> plugin ? So here we have de-coupled the question from the
> database/not-database problem. It then make sense if one tries both
> (alert & log) one a time & output to a straight file for example to see
> the real difference. But maybe I'm completely mistaken since I'm short
> on grapefruits these days :p
> > A common question in my experience but not one I feel qualified to answer
> > succinctly
> I hope no harm is done no one did take offense.
> > Regards,
> > Bob
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Saad Kadhi
> > Sent: 25 January 2002 23:24
> > To: Rockoff, Dan
> > Cc: 'snort-users at lists.sourceforge.net'
> > Subject: Re: [Snort-users] Output plugins -differences between
> > loggingmethods?
> > [PLEASE DROP THE HTML EMAIL. THIS IS NOT NETIQUETTE-COMPLIANT]
> > On Fri, 2002-01-25 at 17:39, Rockoff, Dan wrote:
> > > I have successfully set up snort logging to a MySql database, and it has
> > > been running fine for over a month now with no problems.
> > >
> > > I am curious however what the differences are between the "output
> > database:
> > > log, and output database: alert" functions.
> > >
> > > If I have both enabled, it looks like I get duplicate data for most hits
> > > with the exception of portscans.
> > >
> > > Should I just use alert, or am I losing something by not using the "log"
> > > facility?
> > Taken from
> > http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5:
> > Furthermore, there is a logging method and database type that must be
> > defined. There are two logging types available, log and alert. Setting
> > the type to log attaches the database logging functionality to the log
> > facility within the program. If you set the type to log, the plugin will
> > be called on the log output chain. Setting the type to alert attaches
> > the plugin to the alert output chain within the program.
> > Please see the documentation & FAQ on http://www.snort.org. They are
> > pretty well written & you should find answers to a lot of questions that
> > you may have before posting to this list. A good idea will be also to
> > search the archives at:
> > http://marc.theaimsgroup.com
> /Saad -- [bsdguy at ...4401...]
> [pgp keyid: 35592A6D http://pgp.mit.edu]
> # buy a geek-in-a-can, point nozzle at technical problem and spray
> # if desesperate degauss your screen. it might solve your pb as well
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users