Snort mailing list archives

missing pcaps for alerts

From: John Ives <jives () security berkeley edu>
Date: Tue, 18 Oct 2011 16:24:14 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Recently, after upgrading to 2.9.1.1 (from 2.9.1.0) on several FreeBSD
sensors, I noticed that only some of the alerts are logging the pcap
output from the alerts that it is putting in the local logs and
sending via syslog.

At first I noticed it in several Emerging Threats alerts, but today I
also found that some of the VRT rules are also missing the
corresponding pcaps.

The rules that are consistently missing pcaps for are:

Emerging Threats Rules:
2011146
2011588
2011894
2012299
2012491
2012609
2012612
2012616
2012799
2012801
2012893
2013076
2013093
2013094
2013202
2013372
2013387
2013508
2013520
2013651
2013666
2013686


VRT Rules:
10196
10197
16008

Snort information:
Installed from FreeBSD ports with support for IPV6, GRE,
DECODERPRE,ZLIB, PERFPROFILE
OS: FreeBSD 8.1 64bit

The missing packets are not intermittent, but consistent since the
upgrade.

Thank you,

John


- -- 
- -------------------------------------------------------------------------
John Ives
System & Network Security                           Phone (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOngqeAAoJEJkidK6qbywsQB4IAKh1MFJ9CXKu7tBHp121VAO+
eIgujlttMCmfNZlLxSSTNDJGr8oynx5MJEYb54vgEmJ+YJMUzvHIqWzFSTqNWyjn
WEcRLMjj0j7QgtKXpKSY873zH+p2l9xW95iX8vziFN4thfOOQZZPG3hluHMCchxm
ztjvtV8nNdOnOIu2kynNcQmK2GJGmgYn1n4zuPFwil/6Gv86d2fMckjg1L+qxOlx
EAQnAwYb5blnNydCNx/CScuce8IPHPMZYz2XLnweQa8uJWVCxxdTniaKflqVwKOR
6HFVoWFwhYzAagqlXWMOw+Liar1mBgRrzqOkzmki1mGjm4PWD4+oQ3/IHbduvBI=
=ICzU
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
  - Re: missing pcaps for alerts John Ives (Oct 18)
    - Re: missing pcaps for alerts Joel Esler (Oct 19)
    - Re: missing pcaps for alerts John Ives (Oct 19)
- Re: missing pcaps for alerts Eoin Miller (Oct 20)
  - Re: missing pcaps for alerts Joel Esler (Oct 20)
    - Re: missing pcaps for alerts John Ives (Oct 25)
    - Re: missing pcaps for alerts Joel Esler (Oct 25)