Snort mailing list archives
log_tcpdump does not log
From: Han Boetes <hboetes () utelisys com>
Date: Mon, 19 Mar 2012 12:59:23 +0100
Hi, I am trying to look if packetfence is generating a false positive or not on certain packages and to get that I would like to capture the packets that generated an alert with log_tcpdump into a file. Snort starts fine with that line in the configuration but the file isn't generated after alerts. Yes snort can write to the given directory. Actually I have three machines running snort and it works on one and not the other two. hboetes@oink /etc/snort % snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.1 IPv6 GRE (Build 71) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.5 hboetes@oink /etc/snort % l /var/log/snort/tcpdump.log.133* -rw------- 1 root root 8.0M Mar 19 12:47 /var/log/snort/tcpdump.log.1332123032 hboetes@oink /etc/snort % stripcom snort.conf|grep tcpdump output log_tcpdump: tcpdump.log hboetes@ds2 /usr/local/pf/conf % snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.2 IPv6 GRE (Build 78) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.5 hboetes@ds2 /usr/local/pf/conf % stripcom /usr/local/pf/conf/snort.conf|grep tcpdump output log_tcpdump: /usr/local/pf/var/tcpdump.log % ls /usr/local/pf/var/tcpdump.log* zsh: no matches found: /usr/local/pf/var/tcpdump.log* hboetes@ds1 ~ % snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.2.1 IPv6 GRE (Build 107) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 hboetes@ds1 ~ % stripcom /usr/local/pf/var/conf/snort.conf|grep tcpdump output log_tcpdump: /usr/local/pf/var/violation_pcap hboetes@ds1 ~ % l /usr/local/pf/var/violation_pcap* zsh: no matches found: /usr/local/pf/var/violation_pcap* hboetes@ds1 ~ % pg snort USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND pf 1322 20.6 0.5 67900 43860 ? Ssl 12:57 0:02 /usr/sbin/snort -u pf -c /usr/local/pf/var/conf/snort.conf -i eth1 -N -D -l /usr/local/pf/var --pid-path /usr/local/pf/var/run Met vriendelijke groet, Han Boetes ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- log_tcpdump does not log Han Boetes (Mar 19)
- Re: log_tcpdump does not log Han Boetes (Mar 19)