[Snort-users] Events vs. Alerts

Nicholas Mavis (nmavis) nmavis at ...589...
Tue Feb 11 10:14:15 EST 2014


Event Limit counts events not alerted due to event_filter limits.

Alert Limit counts events were not alerted because they already were triggered on the session.

-Nick

From: Thomas Hyslip <thomas.hyslip at ...11827...<mailto:thomas.hyslip at ...13610...7...>>
Date: Monday, February 10, 2014 7:32 PM
To: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: [Snort-users] Events vs. Alerts

not quite sure i understand the difference between an event and and alert.  I have a threshold within a rule for 25 syn packets every second (ddos) egressing the network.

I have tried different pcaps with tcpreplay to test the rule.  When i know there are more than 25 syn packets within a second, i see the alerts in barnyard2 and afterwards when i stop snort.  But, when I'm sure there are not 25 syns in one second, i get no alerts, but after stopping snort and barnyard, i see events were logged or filtered.

so, I am little confused what Snort means be an event that is not an alert.  Also, FYI, I have no other rules or pre-processors running.  Here is the output from snort

===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:          241
      Alert:            0
Verdicts:
      Allow:       722528 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
===============================================================================
+-----------------------[filtered events]--------------------------------------
| gen-id=1      sig-id=1000001    type=Threshold tracking=src count=25  seconds=1   filtered=241

Any idea what the 241 event and filtered could be?

Thanks
Tom


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140211/557af293/attachment.html>


More information about the Snort-users mailing list