[Snort-users] No alerts

Chris Green cmg at ...1935...
Sun Mar 31 18:31:03 EST 2002


Bill McCarty <bmccarty at ...5196...> writes:

> But, my configuration seems to be sanctioned. From the users manual:
>
>> Multiple output plugins may be specified in the Snort configuration file.
>> When multiple plugins of the same type (log, alert) are specified, they
>> are "stacked" and called in sequence when an event occurs. As with the
>> standard logging and alerting systems, output plugins send their data to
>> /var/log/snort by default or to a user directed directory (using the "-l"
>> command line switch).

Like anything, we give you the pieces to shoot yourself in the foot
:-)  Perhaps there should be more recommended admonishments in the
users manual.  I usually fold back in recommendations that I have the
ability to fix up

>
> So, am I one of a few rare birds actually stacking multiple output
> plugins? My guess is not, but it's merely a guess. 

To the extent of using almost everything, I think you are unique ;-).

IDS is a CPU bound problem.  Every lil bit of processing we do eats up
CPU time.  The less CPU used, the better.  The more output plugins
chosen, the more CPU used.

> I do see that the Honeynet folks use, or used, a similar
> configuration. In fact, I think I based mine on theirs. See
> <http://project.honeynet.org/papers/honeynet/snort.conf


Not sure why they do that either.

>
> In any case, my question stands: Is there a convenient way to obtain
> near real-time alert reporting when logging only to a binary file?

-A fast -b is a good compromise.

>  Otherwise, there's a strong reason for WANTING to stack multiple
> output plugins. Though it's certainly possible that doing so may
> increase the frequency or serverity of snort problems, despite
> evidence that doing so should work okay. I dunno.

Yes, lots of the weirder configurations have bugs ( and some of the
common ones ). Lots of code is contributed and then never maintained
again and as architectures change, its hard to keep up with the
``fringe''.

If there are points of the manual that are unclear, drop me a line and
we'll see what We can do to clean them up.
--
Chris Green <cmg at ...950...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-users mailing list