[Snort-users] No alerts

Erek Adams erek at ...577...
Mon Mar 25 18:48:03 EST 2002

On Mon, 25 Mar 2002, Bill McCarty wrote:


> But, my configuration seems to be sanctioned. From the users manual:

IMHO, Sanctioned == Suggested.  This type of config _ISN'T_ suggested for
large amounts of data.

The output plugins do work in this fashion.  They will get the data to the
right places, _but_ at a cost.  <see below>


> So, am I one of a few rare birds actually stacking multiple output plugins?
> My guess is not, but it's merely a guess. I do see that the Honeynet folks
> use, or used, a similar configuration. In fact, I think I based mine on
> theirs. See <http://project.honeynet.org/papers/honeynet/snort.conf>.

Consider this about alert_full and alert_fast:  alert_fast is a part of
alert_full--(I guess sub_set might be used here....).  Since you are writing
the same data (75%) twice, why not drop alert fast and speed up your disk
writes and I/O waits?

The developers tend to deal with _large_ pipes DS3+ and want things to be as
fnorkin' fast as can be.  :)  On a slow net, honeynet or DSL homenet, things
are different.

You might also want to note that when the original config (for honey{net,pot})
that barnyard wasn't a reality.  Now that it is, you can send to BY and have
it populate the DB for 'very near' realtime updates.

> In any case, my question stands: Is there a convenient way to obtain near
> real-time alert reporting when logging only to a binary file?

IMHO?  I'd say using BarnYard to send data to ACID or DeMarc or <homebrew

> Otherwise, there's a strong reason for WANTING to stack multiple output
> plugins.  Though it's certainly possible that doing so may increase the
> frequency or serverity of snort problems, despite evidence that doing so
> should work okay. I dunno.

Yes, you can and might even want to stack outputs.  But, in my mind you are
better off defining a custom rule type for all that type of output.  I'm
thinking about 'high speed' snorting here--But only the traffic that is
'really 3l33t' should be logged to all the types.  Otherwise, just stuff it
into the DB for analysis.  But then again, I don't play a Incident Handler,
even on TV.  ;-)

Good luck!

Erek Adams

