Snort mailing list archives
Re: Snort /var/log/snort/tcpdump<>
From: Amit B <amn0p () me com>
Date: Tue, 27 Dec 2011 07:49:12 -0600
Nope, my issue is no pcap logs for certain alerts. Some of them are triggered from text rules (not so rules) Thanks On Dec 26, 2011, at 23:50, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:
Are there multiple alerts for the same session? There appears to be a bug where only the first alert has logged packets in the unified2 output. This could be the same issue effecting the PCAP output. -- Eoin On Dec 26, 2011, at 10:52 PM, amN0P () me com wrote:Hi everyone, I am sending Snort alerts to central syslog server. If I want more insight I go to /var/log/snort/tcpdumpxxx pcap files to learn what triggered the alert. Many a times I dont see a equivalent pcap log for syslog alert. What do these tcpdump pcap contain and no contain. Does it have full packet dumps of all alerts triggered from rules file but not from so rules? Can someone please clarify. Thanks. -Ams ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort /var/log/snort/tcpdump<> amN0P (Dec 26)
- Re: Snort /var/log/snort/tcpdump<> Eoin Miller (Dec 26)
- Re: Snort /var/log/snort/tcpdump<> Amit B (Dec 27)
- Re: Snort /var/log/snort/tcpdump<> Eoin Miller (Dec 26)