Alert Subsystem
The alert subsystem is one of the key components of Snort. The goal of the Snort system is to inspect the network traffic and identify (and stop) malicious traffic. To do that, the traffic is first captured (by DAQ modules), then decoded (by decoder modules), analyzed (by inspector modules), and matched against the signatures (by rules module). In this chapter, we will discuss what happens when there is a successful match for a signature. We will discuss the role of the alert subsystem, that is, creating an alert when there is a successful identification of a malicious packet or session.
At a high level, we will study the Snort alert subsystem, how it works, the various types or formats of alerts, and the configuration parameters.
We will be covering the following main topics:
- Post-inspection processing
- Alert formats
