Actions, Limits, and Verdicts

Action and verdict counts show what Snort did with the packets it analyzed. This information is only output in IDS mode (when snort is run with the -c <conf> option).

• Alerts is the number of activate, alert, and block actions processed as determined by the rule actions. Here block includes block, drop, and reject actions.

Limits arise due to real world constraints on processing time and available memory. These indicate potential actions that did not happen:

• Match Limit counts rule matches were not processed due to the config detection: max_queue_events setting. The default is 5.

• Queue Limit counts events couldn't be stored in the event queue due to the config event_queue: max_queue setting. The default is 8.

• Log Limit counts events were not alerted due to the config event_queue: log setting. The default is 3.

• Event Limit counts events not alerted due to event_filter limits.

• Alert Limit counts events were not alerted because they already were triggered on the session.

Verdicts are rendered by Snort on each packet:

• Allow = packets Snort analyzed and did not take action on.

• Block = packets Snort did not forward, eg due to a block rule. "Block" is used instead of "Drop" to avoid confusion between dropped packets (those Snort didn't actually see) and blocked packets (those Snort did not allow to pass).

• Replace = packets Snort modified, for example, due to normalization or replace rules. This can only happen in inline mode with a compatible DAQ.

• Whitelist = packets that caused Snort to allow a flow to pass w/o inspection by any analysis program. Like blacklist, this is done by the DAQ or by Snort on subsequent packets.

• Blacklist = packets that caused Snort to block a flow from passing. This is the case when a block TCP rule fires. If the DAQ supports this in hardware, no further packets will be seen by Snort for that session. If not, snort will block each packet and this count will be higher.

• Ignore = packets that caused Snort to allow a flow to pass w/o inspection by this instance of Snort. Like blacklist, this is done by the DAQ or by Snort on subsequent packets.

• Int Blklst = packets that are GTP or Teredo encapsulated that are being blocked. These packets could get the Blacklist verdict if config tunnel_verdicts was set for the given protocol. Note that this count are output only if non-zero. Also, this count is incremented on the first packet in the flow that alerts. The alerting packet and all following packets on the flow will be counted under Block.

• Int Whtlst = packets that are GTP or Teredo encapsulated that are being allowed. These packets could get the Whitelist verdict if config tunnel_verdicts was set for the given protocol. Note that this count are output only if non-zero. Also, this count is incremented for all packets on the flow starting with the alerting packet.

Example:

===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:      3716022 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
===============================================================================