[Snort-users] Question about Snort/ACID/MySQL and how they play together

Michael Steele michaels at ...155...
Fri Apr 25 11:40:15 EDT 2003


All,

This was a conversation that I was having with Erek on the difference
between log and alert. It seems that Erek in indisposed as there have
been no posts from him :(, so I'll throw it out to the masses and maybe
I someone can enlighten me?

This is an excerpt from a previous message from Erek. His response seems
to contradict my tests. Could my testing skewed in some way?

----------\
Alert only does alert whereas log does alert and log.  It's confusing
since there are both named the same, but seem to have different meanings
in the db plug-in.  Remember how you need to have 'log' to get output
from the portscan(2)  preprocessor into ACID?
----------/

Ok, I have tested three settings and this is what I have come up with:

I cleaned out the log folder prior to each test and restarted Snort at
the appropriate times to get the IDS back up and fully functioning.

Test 1) Using 'output database alert' and 'output database log' in my
snort.conf file. Then I ran a scan on the IDS.

Result of scan: Logged all traffic including portscans to MySQL.

In the log folder: Only portscan.log created.

Test 2) Using the 'output database log' only in my snort.conf file. Then
I ran a scan on the IDS.

Result of scan: Logged all traffic except portscans to MySQL.

In the log folder: Only portscan.log created.

Test 3) Using the 'output database alert' only in my snort.conf file.
Then I ran a scan on the IDS.

Result of scan: Logged all traffic including portscans to MySQL.

In the log folder: Portscan.log was created along with folders with an
IP as folder name with logs inside each folder.

Out of all three tests, no /log/alert.ids file created.

Test 1 logs everything to MySQL, including creating the portscan.log
file, but no log file was created by alerts that were triggered by
rules.

Test 2 is not an option if you want to log portscans to the MySQL
database.

Test 3 logs everything to MySQL, including creating the portscan.log
file, and it also creates logs in /log/<IP>/ from alerts that were
triggered by rules.

What is the difference between Test 1 and Test 2 as far as the end
results?

Are they both doing the exact same thing except Test 3 is creating the
log files?

I thought I had this all down, but for some reason it's not clicking. It
looks like what Erek told me contradicts what my test are coming up
with.

Thank you...

Michael







More information about the Snort-users mailing list