[Snort-users] Events vs. Alerts

Thomas Hyslip thomas.hyslip at ...11827...
Mon Feb 10 19:32:41 EST 2014


not quite sure i understand the difference between an event and and alert.
I have a threshold within a rule for 25 syn packets every second (ddos)
egressing the network.

I have tried different pcaps with tcpreplay to test the rule.  When i know
there are more than 25 syn packets within a second, i see the alerts in
barnyard2 and afterwards when i stop snort.  But, when I'm sure there are
not 25 syns in one second, i get no alerts, but after stopping snort and
barnyard, i see events were logged or filtered.

so, I am little confused what Snort means be an event that is not an
alert.  Also, FYI, I have no other rules or pre-processors running.  Here
is the output from snort

===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:          241
      Alert:            0
Verdicts:
      Allow:       722528 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
===============================================================================
+-----------------------[filtered
events]--------------------------------------
| gen-id=1      sig-id=1000001    type=Threshold tracking=src count=25
seconds=1   filtered=241

Any idea what the 241 event and filtered could be?

Thanks
Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140210/b6b76364/attachment.html>


More information about the Snort-users mailing list