[Snort-users] Re: Alerts, Logs and DB's--Oh My!
erek at ...577...
Wed Mar 13 11:41:03 EST 2002
On Wed, 13 Mar 2002 bthaler at ...2720... wrote:
> Geez! Now I'm really confused!
Great! You'll fit right in here! ;-)
> Read this statement by Marty:
> "What this means in practical terms is that if the db plugin
> is in alert mode, it will only receive output from alert rules, whereas
> if it's in "log" mode it will receive output from both log and alert
> This means that the database output plugin, configured to run in "log" mode
> will write both "alert" and "log" output to the database, right?
It means it will write "alert" and "log" _RULES_ to the DB. (More info below)
> So if this is true, then why does the output plugin need to be set to
> "alert" to capture spp_portscan and evidently spp_anomsensor?
In spp_portscan.c you have this line:
1559: CallAlertFuncs(NULL, logMessage, NULL, &event);
Now, when it gets sent back to snort, snort sees that info as an Alert, not a
As for Spade, well... I'm not much of a coder, but I'd be it's the same
> I may be missing something obvious here, but this doesn't make sense to me.
> If "log" logs both "alert" and "log" (does that make sense?), then we should
> see spp_portscan (and with it spp_anomsensor) with the output plugin set to
> "log" but we don't, so this must not be completely true.
> Please forgive my ignorance...
"Ignorance is cureable, stupidity is not."--My Calc teacher in college. :)
Consider this: When plugins were first built into snort, there wasn't a
lot of design in the framework. Now there is. IIRC, spp_portscan was the
first pre-processor that was written. So you might see some wierd things
going on in it.
> On another note, I noticed that many of the fancier features of snort are
> dependant on the "alert" facility, which writes those pesky "alert" files to
> my HD, as well as those IP Address directories.
> I was under the impression that maximum performance/attack information would
> be achieved by having Snort output to a database on a remote host, as
> opposed to a local database or local logfiles. When I use the "alert"
> facility combined with the database output plugin, I still get the "alert",
> etc. files written locally. I understand that this is not a "bug" per se,
> but is just the way Snort works, but it seems counter-intuitive to me. I
> mean I'm going through all the trouble of maintaining a separate machine
> just to run MySQL and maximize performance, and Snort insists on writing
> files locally. This not only hinders performance, buy could be used as a
> way to DOS snort with "noise" filling my sensor's HD.
OK, consider using Barnyard and unified logging. At the present, it's still
'beta' but works fairly well from what I hear/see.
> I need to run IDS on a 45Mb connection, so I need all the performance I can
> get. At the same time, I need as much information about incoming attacks as
> possible. I realize that this is a compromise, but it seems that Snort is
> "wasting" performance by writing these files, at least in my situation,
> since all of that info is already in the database.
Barnyard will become your friend. There are some folks here on the list who
are doing a bit more than what you want. Just have a look back over the
archives and grep for performance. You'll get more than you ever wanted to
> Anyway, this is just my perspective...Let me know if I'm missing something
Ummm... Nope. Seem to be doin fine! :)
More information about the Snort-users