[Snort-users] Alerts vs. logged

Martin Roesch roesch at ...1935...
Wed May 10 17:10:19 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Vidar,

The alerts and logged values are based on the number of alerts  
generated and the number of packets logged.  It is possible to have  
alerts which have no logs just as it is possible to log packets  
without alerting, so we maintain separate counters for the summary data.

      -Marty

On Apr 12, 2006, at 7:50 AM, Vidar Evenrud Seeberg wrote:

> Hello gurus!
>
> This may be a simple question, but I need to get my thoughts  
> confirmed:
>
> When Ctrl-C Snort shows a summary page where among else ALERTS and
> LOGGED numbers are presented. Am I right when I interpret these  
> numbers
> as LOGGED being all true positives and false negatives detected by  
> Snort
> and ALERTS being all unique types of attacks detected? E.g. 5  
> detections
> of attack 1, 3 detections of attack 2 and 4 detections of attack 3  
> gives
> 3 ALERTS and 12 LOGGED.
>
> I know that there may be log-rules present in the rule set.  
> However, in
> my data set only HTTP traffic are present and all rules enabled are
> alert-rules. No log-rules are present.
>
> Looing forward to an answer.
>
> Regards
> Vidar S.
>
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEYoC5qj0FAQQ3KOARAvezAJ9EV/o45v77HXdwtbl8JLwkTynFEwCfcvMg
QlnKwSQ2yWRjCBVQ02ssGls=
=oAg1
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list