Snort mailing list archives
Re: missing pcaps for alerts
From: John Ives <jives () security berkeley edu>
Date: Wed, 19 Oct 2011 16:49:49 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/19/2011 7:15 AM, Joel Esler wrote:
On Oct 18, 2011, at 8:54 PM, John Ives wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/18/2011 5:37 PM, Joel Esler wrote:From your email, you are implying that you are getting packets for all other rules? What is your output method?Correct. Most of the rules triggered still seem to log packets and they do it consistently. The output methods did not change between 2.9.1.0 and 2.9.1.1 and are: output log_tcpdump: snort.log output alert_syslog: LOG_LOCAL4 LOG_DEBUG output alert_fast: alert The alert_fast output was put in to double check the syslog alerts, but like I said it wasn't changed.Can you try and output in unified2 additionally and take a look at the output with u2spewfoo and see if the packet data is in there?
I have added 'output unified2: filename merged.log, limit 128' to the snort.conf file and so far (from limited data - since I waiting for the alerts to get triggered) it appears that some of the alerts that were missing tcpdump output before do have the packets in the unified output file (they still do not have anything in the corresponding tcpdump files), however that is is not universal. For instance VRT 16008 does have the packet information in the unified file and not the tcpdump file, but ET 2013076 hs the alert in the unified file, but no packet data in either the unified file or the tcpdump file. Yours, John - -- - ------------------------------------------------------------------------- John Ives System & Network Security Phone (510) 229-8676 University of California, Berkeley - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOn2IdAAoJEJkidK6qbywsJlwH/j+oWUNKwJGYNR9XVk2D8GlA Mkbd65dEau2ki2vl43O+VyUI1zUPt8gZQ7vc+X6TNmFRURGq/QgEW0yIV5/UPnXr qC70UhchUarDu6lRSqxNlzyyxHTr7pBHPrFp9BUv1d0xhJJqS6Ej2Cz5o8D/SsIz brFS5UULVL6cUf3W6+kPaAwA+aOnEFVKAbXD020GKWV1RXGdF8lsvNbUSmYxUMTq YYdMGB/VroDgPbd67iXNa/cx4WqRIFuFyEE6KBLaLpInF3S/CTeDVcj7/hAl9cH/ Epwb7UOuwgpijZ+Gcj7ECUEZWzQ2eqn9ZQV//r2TMuBdmU+9hAQ7DEkYbBH7Mig= =kyo7 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Ciosco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts Eoin Miller (Oct 20)
- Re: missing pcaps for alerts Joel Esler (Oct 20)
- Re: missing pcaps for alerts John Ives (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 20)