[Snort-users] No alerts

Chris Green cmg at ...1935...
Sun Mar 31 18:31:03 EST 2002

Bill McCarty <bmccarty at ...5196...> writes:

> But, my configuration seems to be sanctioned. From the users manual:
>> Multiple output plugins may be specified in the Snort configuration file.
>> When multiple plugins of the same type (log, alert) are specified, they
>> are "stacked" and called in sequence when an event occurs. As with the
>> standard logging and alerting systems, output plugins send their data to
>> /var/log/snort by default or to a user directed directory (using the "-l"
>> command line switch).

Like anything, we give you the pieces to shoot yourself in the foot
:-)  Perhaps there should be more recommended admonishments in the
users manual.  I usually fold back in recommendations that I have the
ability to fix up

> So, am I one of a few rare birds actually stacking multiple output
> plugins? My guess is not, but it's merely a guess. 

To the extent of using almost everything, I think you are unique ;-).

IDS is a CPU bound problem.  Every lil bit of processing we do eats up
CPU time.  The less CPU used, the better.  The more output plugins
chosen, the more CPU used.

> I do see that the Honeynet folks use, or used, a similar
> configuration. In fact, I think I based mine on theirs. See
> <http://project.honeynet.org/papers/honeynet/snort.conf

Not sure why they do that either.

> In any case, my question stands: Is there a convenient way to obtain
> near real-time alert reporting when logging only to a binary file?

-A fast -b is a good compromise.

>  Otherwise, there's a strong reason for WANTING to stack multiple
> output plugins. Though it's certainly possible that doing so may
> increase the frequency or serverity of snort problems, despite
> evidence that doing so should work okay. I dunno.

Yes, lots of the weirder configurations have bugs ( and some of the
common ones ). Lots of code is contributed and then never maintained
again and as architectures change, its hard to keep up with the

If there are points of the manual that are unclear, drop me a line and
we'll see what We can do to clean them up.
Chris Green <cmg at ...950...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

More information about the Snort-users mailing list