| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: 4.21 Are rule keywords Up: 4 Rules and Alerts Previous: 4.19 How do I
4.20 What is the difference between ``Alerting'' and ``Logging''?
There are two primary output facilities in Snort, logging and alerting. The alerting facility exists to let you know that something interesting has happened. The logging facility exists to log full packet information to the output format (pcap, ascii, database, etc).
The ``alert'' action in Snort is hard coded to do two things when an event is detected by Snort, write an event to the alert facility and log as much as possible/desired to the output facility. The ``log'' action merely logs the current packet to the logging facility without generating an alert. This is done so you can log interesting things (telnet sessions, whatever) without having to generate an alert on every packet.
The database plugin is something of an anomaly because it doesn't separate the two functionalities very much. The ``log'' option attaches the log facility and the ``alert'' option attaches it to the alert facility. What this means in practical terms is that if the db plugin is in alert mode, it will only receive output from alert rules, whereas if it's in ``log'' mode it will receive output from both log and alert rules.
Next: 4.21 Are rule keywords Up: 4 Rules and Alerts Previous: 4.19 How do I
| site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |