Snort mailing list archives

Re: missing pcaps for alerts

From: John Ives <jives () security berkeley edu>
Date: Wed, 19 Oct 2011 16:49:49 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/19/2011 7:15 AM, Joel Esler wrote:


On Oct 18, 2011, at 8:54 PM, John Ives wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 10/18/2011 5:37 PM, Joel Esler wrote:

From your email, you are implying that you are getting packets
for all other rules?

What is your output method?


Correct.  Most of the rules triggered still seem to log packets
and they do it consistently.  The output methods did not change
between 2.9.1.0 and 2.9.1.1 and are:

output log_tcpdump: snort.log output alert_syslog:  LOG_LOCAL4
LOG_DEBUG output alert_fast: alert

The alert_fast output was put in to double check the syslog
alerts, but like I said it wasn't changed.


Can you try and output in unified2 additionally and take a look at
the output with u2spewfoo and see if the packet data is in there?


I have added 'output unified2: filename merged.log, limit 128' to the
snort.conf file and so far (from limited data - since I waiting for
the alerts to get triggered) it appears that some of the alerts that
were missing tcpdump output before do have the packets in the unified
output file (they still do not have anything in the corresponding
tcpdump files), however that is is not universal.

For instance VRT 16008 does have the packet information in the unified
file and not the tcpdump file, but ET 2013076 hs the alert in the
unified file, but no packet data in either the unified file or the
tcpdump file.

Yours,

John


- -- 
- -------------------------------------------------------------------------
John Ives
System & Network Security                           Phone (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOn2IdAAoJEJkidK6qbywsJlwH/j+oWUNKwJGYNR9XVk2D8GlA
Mkbd65dEau2ki2vl43O+VyUI1zUPt8gZQ7vc+X6TNmFRURGq/QgEW0yIV5/UPnXr
qC70UhchUarDu6lRSqxNlzyyxHTr7pBHPrFp9BUv1d0xhJJqS6Ej2Cz5o8D/SsIz
brFS5UULVL6cUf3W6+kPaAwA+aOnEFVKAbXD020GKWV1RXGdF8lsvNbUSmYxUMTq
YYdMGB/VroDgPbd67iXNa/cx4WqRIFuFyEE6KBLaLpInF3S/CTeDVcj7/hAl9cH/
Epwb7UOuwgpijZ+Gcj7ECUEZWzQ2eqn9ZQV//r2TMuBdmU+9hAQ7DEkYbBH7Mig=
=kyo7
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
  - Re: missing pcaps for alerts John Ives (Oct 18)
    - Re: missing pcaps for alerts Joel Esler (Oct 19)
    - Re: missing pcaps for alerts John Ives (Oct 19)
- Re: missing pcaps for alerts Eoin Miller (Oct 20)
  - Re: missing pcaps for alerts Joel Esler (Oct 20)
    - Re: missing pcaps for alerts John Ives (Oct 25)
    - Re: missing pcaps for alerts Joel Esler (Oct 25)