Next: Reading Pcaps
Up: Packet Acquisition
Previous: Dump
Contents
The Packet Wire Totals and Action Stats sections of Snort's output include
additional fields:
- Filtered
count of packets filtered out and not handed to Snort for analysis.
- Injected
packets Snort generated and sent, eg TCP resets.
- Allow
packets Snort analyzed and did not take action on.
- Block
packets Snort did not forward, eg due to a block rule.
- Replace
packets Snort modified.
- Whitelist
packets that caused Snort to allow a flow to pass w/o inspection by any
analysis program.
- Blacklist
packets that caused Snort to block a flow from passing.
- Ignore
packets that caused Snort to allow a flow to pass w/o inspection by this
instance of Snort.
The action stats show "blocked" packets instead of "dropped" packets to avoid
confusion between dropped packets (those Snort didn't actually see) and blocked
packets (those Snort did not allow to pass).
Eugene Misnik
2013-05-08