[Snort-users] Snort 1.9, RH 7.3 and Acid

Erek Adams erek at ...577...
Tue Oct 8 09:13:02 EDT 2002


On Tue, 8 Oct 2002, Beckett, Josh wrote:

> >From the reference [0] below:
>
> "What this means in practical terms is that if the db plug-in
> is in alert mode, it will only receive output from alert rules, whereas
> if it's in "log" mode it will receive output from both log and alert
> rules."
>
> Great...but how do you tell if the plug-in is in alert mode or log mode?
> Strictly speaking, there was no mention of such a setting in the setup
> doc that I got from the snort site.  Additionally, that doesn't make
> sense.  The DB simply listens for an authorized user to insert some
> data.  It has no "mode."  (Maybe it is a reference to the setting that
> you are changing in the snort.conf file...._shrug_)

Yep.  Have a look at your db output line:

   output database: log, mysql, user=snort dbname=snort host=localhost

If you want to change the word 'log' to 'alert' you change the facility that
the db plugin sends to the db.

> I checked both links and neither gave me any appreciable information
> over the doc that I used for setup.
> http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf
>
> Thanks for the attempt though.  The discussion about the difference
> between log and alert settings is interesting, but it seems to me that
> the settings are more geared toward syslog-type logging rather than db.

Actually, it's not really geared to anything except Marty.  :)  The term
'facility' doesn't mean it's geared to syslog.  It just means that syslog used
the term in a different meaning that Snort.  Consider the alert and log
facilities (of snort) as a channel on TV.  'Do you want to watch the alert
channel or the log channel?' is another way of thinking of it.

> The alert setting did start producing output, yet the log setting does
> not.  This is somewhat interesting (esp. since the log setting worked in
> 1.8.7 but not in 1.9.0), as the log setting should be noisier due to the
> fact that it should log all packets to the db, yet the db only seems to
> get info if snort is given the alert setting.

If you do a quick grep thru the rules for ones that start with "log" I'm sure
you won't find any.  All of them use "alert".  So by that, snort would only
send to the db what is 'alert' instead of what is labeled 'log'.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list