Snort mailing list archives
missing pcaps for alerts
From: John Ives <jives () security berkeley edu>
Date: Tue, 18 Oct 2011 16:24:14 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Recently, after upgrading to 2.9.1.1 (from 2.9.1.0) on several FreeBSD sensors, I noticed that only some of the alerts are logging the pcap output from the alerts that it is putting in the local logs and sending via syslog. At first I noticed it in several Emerging Threats alerts, but today I also found that some of the VRT rules are also missing the corresponding pcaps. The rules that are consistently missing pcaps for are: Emerging Threats Rules: 2011146 2011588 2011894 2012299 2012491 2012609 2012612 2012616 2012799 2012801 2012893 2013076 2013093 2013094 2013202 2013372 2013387 2013508 2013520 2013651 2013666 2013686 VRT Rules: 10196 10197 16008 Snort information: Installed from FreeBSD ports with support for IPV6, GRE, DECODERPRE,ZLIB, PERFPROFILE OS: FreeBSD 8.1 64bit The missing packets are not intermittent, but consistent since the upgrade. Thank you, John - -- - ------------------------------------------------------------------------- John Ives System & Network Security Phone (510) 229-8676 University of California, Berkeley - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOngqeAAoJEJkidK6qbywsQB4IAKh1MFJ9CXKu7tBHp121VAO+ eIgujlttMCmfNZlLxSSTNDJGr8oynx5MJEYb54vgEmJ+YJMUzvHIqWzFSTqNWyjn WEcRLMjj0j7QgtKXpKSY873zH+p2l9xW95iX8vziFN4thfOOQZZPG3hluHMCchxm ztjvtV8nNdOnOIu2kynNcQmK2GJGmgYn1n4zuPFwil/6Gv86d2fMckjg1L+qxOlx EAQnAwYb5blnNydCNx/CScuce8IPHPMZYz2XLnweQa8uJWVCxxdTniaKflqVwKOR 6HFVoWFwhYzAagqlXWMOw+Liar1mBgRrzqOkzmki1mGjm4PWD4+oQ3/IHbduvBI= =ICzU -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts Eoin Miller (Oct 20)
- Re: missing pcaps for alerts Joel Esler (Oct 20)
- Re: missing pcaps for alerts John Ives (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 20)