Snort mailing list archives

Re: snort is logging alerts but not capturing corresponding packets for some rules

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 27 Apr 2011 14:46:37 -0400

No.  They are in unified.

On Wed, Apr 27, 2011 at 2:02 PM, waldo kitty <wkitty42 () windstream net>wrote:

On 4/26/2011 14:57, Joel Esler wrote:

No, it's my fault, I should have recognized the problem.

Alerts that are not based off of the pseudo packet are logged to tcpdump.

The pseudo packet is created by stream5 internal to Snort to be able to

fire on

stream reassembled traffic (such as this).  It's only externally logged

via unified.

so... we don't get a pcap of the packets used in the reassembly so that we
can
snoop the actual traffic?? if so, that doesn't seem right... we get pcaps
for
all the other alerts but just not for ones reassembled... am i
understanding
that correctly?


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: snort is logging alerts but not capturing corresponding packets for some rules Lay, James (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 25)
  - Re: snort is logging alerts but not capturing corresponding packets for some rules James Lay (Apr 25)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 25)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
- Message not available
  - Message not available
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Lay, James (Apr 26)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Lay, James (Apr 26)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules waldo kitty (Apr 27)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 27)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Agustin Roca (May 01)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Kumar, Mahendra (Apr 26)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
    - Re: snort is logging alerts but not capturing corresponding packets for some rules Jason Brvenik (May 01)