Re: Snort logs different than the stuff I see in BASE.

[Joel Esler <eslerj () gmail com>]

That's fine, let us know what you can.
Incidentally, -b and log_tcpdump are the same thing.

J

On Fri, Feb 27, 2009 at 10:09 AM, Bruno G. San Alejo <bgonzalez () polar es>wrote:

>    Hi, I had already done something like that with the -b option, but
> since I'm a newbie with this stuff so I went into the snort.conf and
> commented out the DB output and uncommented the option for the
> log_tcpdump option. I don't know if it will work differently.
>
>    In my time zone my job time ends in minutes and my parental duties
> take over, so I don't think I'll be sending anything new till Monday
> morning. :)
>
>    Thanks.
>
>
>
>
>
>
>
> Joel Esler wrote:
> > Try this, don't output to database.  Try having Snort just output
> > directly to pcap format, then we can try and figure out where the
> > problem may lie.
> >
> > J
> >
> > On Fri, Feb 27, 2009 at 7:35 AM, Bruno G. San Alejo
> > <bgonzalez () polar es <mailto:bgonzalez () polar es>> wrote:
> >
> >
> >        Hello, I'm missing out something here because I have produced some
> >     log files from snort and when I check them out with wireshark I
> cannot
> >     find some alert packets that I see at BASE.
> >
> >        In detail, I see some ICMPs redirect messages in the logs (through
> >     wireshark, they are in tcpdump format), but BASE shows just one.
> Also,
> >     the mac addresses involved are not the same (I have just one sensor),
> >     though the IPs are. I know this because the packet saved as pcap from
> >     BASE and opened with Wireshark has plain wrong mac addresses.
> >
> >        I thought that some packets could get lost due to heavy load
> >     (actually this is a live network, but I'm running snort non
> >     promiscous).
> >     But the discrepancies between what BASE shows me and what snort logs
> >     makes me believe I'm doing something wrong.
> >
> >        Thanks.
> ------------------------------------------------------------------------------
> >     Open Source Business Conference (OSBC), March 24-25, 2009, San
> >     Francisco, CA
> >     -OSBC tackles the biggest issue in open source: Open Sourcing the
> >     Enterprise
> >     -Strategies to boost innovation and cut costs with open source
> >     participation
> >     -Receive a $600 discount off the registration fee with the source
> >     code: SFAD
> >     http://p.sf.net/sfu/XcvMzF8H
> >     _______________________________________________
> >     Snort-users mailing list
> >     Snort-users () lists sourceforge net
> >     <mailto:Snort-users () lists sourceforge net>
> >     Go to this URL to change user options or unsubscribe:
> >     https://lists.sourceforge.net/lists/listinfo/snort-users
> >     Snort-users
> >     <
> https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>
> >     list archive:
> >     http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> > --
> > Joel Esler
> > T: 302-223-5974 (-) Gtalk: jesler () sourcefire com
> > <mailto:jesler () sourcefire com>
> > [m]


-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler () sourcefire com
[m]

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users