Re: missing pcaps for alerts

[Joel Esler <jesler () sourcefire com>]

On Oct 18, 2011, at 8:54 PM, John Ives wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/18/2011 5:37 PM, Joel Esler wrote:
> > From your email, you are implying that you are getting packets for
> > all other rules?
> >
> > What is your output method?
>
> Correct.  Most of the rules triggered still seem to log packets and
> they do it consistently.  The output methods did not change between
> 2.9.1.0 and 2.9.1.1 and are:
>
> output log_tcpdump: snort.log
> output alert_syslog:  LOG_LOCAL4 LOG_DEBUG
> output alert_fast: alert
>
> The alert_fast output was put in to double check the syslog alerts,
> but like I said it wasn't changed.

Can you try and output in unified2 additionally and take a look at the output with u2spewfoo and see if the packet data 
is in there?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!