Snort mailing list archives
Re: snort is logging alerts but not capturing corresponding packets for some rules
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 25 Apr 2011 17:55:45 -0600
Howdy Joel :) The issue is just that my friend.some alerts fire, log to the .fast file (even enabled the .full one as well), but when you go to the pcap, it's just not there. I can see other entries before and after, but not the one that I was looking for. Odd thing is, most of the ones that miss are WEB-* ones. I'll see what I can find tomorrow when I get to work to put togetherI know I've got instances where the alert fired, logged to the fast, didn't in the snort pcap, but I have a pcap in my FPC. Thanks again. James From: Joel Esler <jesler () sourcefire com> Date: Mon, 25 Apr 2011 19:43:30 -0400 To: "Lay, James" <james.lay () wincofoods com> Cc: Snort <snort-users () lists sourceforge net> Subject: Re: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules I am more than willing to help you take a look if you have a pcap where you can reproduce the issue, or specific rules that are not firing. J On Mon, Apr 25, 2011 at 6:49 PM, Lay, James <james.lay () wincofoods com> wrote:
From: Kumar, Mahendra [mailto:mkumar () intacct com] Sent: Monday, April 25, 2011 3:50 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules Hi, I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos 5.5 (x86_64). I am not using any other thing like unified2, base, barnyard, mysql etc. My snort is working properly and I am getting alerts and packet captures in snort.log in tcpdump format. But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but there is no packet capture in snort.log and it is very consistent behavior, i.e. I will never get packet captures for some of the rules but will always get alert so it is not a packet drop problem. It seems to be a config issue where the alert is logged but no packet captures. Please help me resolve this issue. Thanks, MK Welcome to my worldI¹ve submitted this exact same item a few times.seems to be a mystery. I have snort boxes in a few different sites on a few different OS¹s.same thing thoughI get the alert in the .fast file, but certain things just do not log to the pcap. I¹ve had to work around this with full web traffic packet captures. The machines aren¹t even close to maxing CPU or memory, but the problem still persists. If anyone has some advice I¹d love to hear it. James ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------------------------------------- -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd__________________________________________ _____ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: snort is logging alerts but not capturing corresponding packets for some rules Lay, James (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules James Lay (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules James Lay (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 25)
- Message not available
- Message not available
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Lay, James (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Lay, James (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules waldo kitty (Apr 27)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 27)
- Message not available
- Re: snort is logging alerts but not capturing corresponding packets for some rules Agustin Roca (May 01)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)