Home > Ask the Enterprise Linux Experts > Security Questions & Answers > Alert vs. log in the Snort /var/log/snort directory
Ask The Enterprise Linux Expert: Questions & Answers
EMAIL THIS

Alert vs. log in the Snort /var/log/snort directory

James Turnbull EXPERT RESPONSE FROM: James Turnbull

Pose a Question
Other Enterprise Linux Categories
Meet all Enterprise Linux Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 20 June 2007
Your article, "Improving Snort with Barnyard," was nice but i noticed two things. I have used Snort and Barnyard together for a while and there is some stuff Sourcefire never had the answer to. Maybe you can help. What is the difference between the "log" log and the alert logs that show up in the /var/log/snort directory? I was told by some people you don't need the alert log; the "log" log has everything that alert has and more. Anyways, it is awfully confusing and it seems that Barnyard only processes the /var/log/snort/*.log files and not the *.alert.


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


This is an interesting question. The difference between alert and log comes down to how you write your rules. Rules can have actions associated with them when they trigger. The possible actions are, to quote the Snort manual:

  • alert -- generate an alert using the selected alert method, and then log the packet
  • log -- log the packet
  • pass -- ignore the packet
  • activate -- alert and then turn on another dynamic rule
  • dynamic -- remain idle until activated by an activate rule, then act as a log rule

If a rule is configured to alert, then an alert will be generated and outputted to whatever alert method you have configured, like a file in /var/log/snort. The packet is then logged to your log output method; for example, the snort*.log files. So by processing the log files, you will get all of the entries. The best and clearest answer to this question, however, comes from Marty Roesch himself in this 2002 mailing list post.




Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Linux Migration Advice: Unix-to-Linux, Windows-to-Linux
HomeNewsTopicsITKnowledge ExchangeTipsBlogsAsk the ExpertsMultimediaWhite PapersIT Downloads
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts