Snort mailing list archives
Re: missing pcaps for alerts
From: John Ives <jives () security berkeley edu>
Date: Tue, 18 Oct 2011 17:54:14 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/18/2011 5:37 PM, Joel Esler wrote:
From your email, you are implying that you are getting packets for all other rules? What is your output method?
Correct. Most of the rules triggered still seem to log packets and they do it consistently. The output methods did not change between 2.9.1.0 and 2.9.1.1 and are: output log_tcpdump: snort.log output alert_syslog: LOG_LOCAL4 LOG_DEBUG output alert_fast: alert The alert_fast output was put in to double check the syslog alerts, but like I said it wasn't changed. Yours, John
On Oct 18, 2011, at 7:24 PM, John Ives <jives () security berkeley edu> wrote: Recently, after upgrading to 2.9.1.1 (from 2.9.1.0) on several FreeBSD sensors, I noticed that only some of the alerts are logging the pcap output from the alerts that it is putting in the local logs and sending via syslog. At first I noticed it in several Emerging Threats alerts, but today I also found that some of the VRT rules are also missing the corresponding pcaps. The rules that are consistently missing pcaps for are: Emerging Threats Rules: 2011146 2011588 2011894 2012299 2012491 2012609 2012612 2012616 2012799 2012801 2012893 2013076 2013093 2013094 2013202 2013372 2013387 2013508 2013520 2013651 2013666 2013686 VRT Rules: 10196 10197 16008 Snort information: Installed from FreeBSD ports with support for IPV6, GRE, DECODERPRE,ZLIB, PERFPROFILE OS: FreeBSD 8.1 64bit The missing packets are not intermittent, but consistent since the upgrade. Thank you, John------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
- -- - ------------------------------------------------------------------------- John Ives System & Network Security Phone (510) 229-8676 University of California, Berkeley - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOnh+2AAoJEJkidK6qbywste0H/j52DchfVVFmn8o6xHWObznH oJYOVdniBmFELVgqOk/Vvlov9hrbRq9C3h/jB9wXSSWwkKOLq7Akc2vfIlL1K0dV Ubd86zVGz4lCMnzk499/ly18c36uCZDiBUEJtmjUgNoBm2hDoTwbn4kGHTLKJSM5 nHeZW9T4ArIDG3KCz9OJ4gewljdeGgei623TVhyINnQCN+u9ayT7IkANqma2GQVd BR7UJagCEFbl9+WH3TF9CjvJsEjUryFhH/R0fx8PetMd9nBggJTWYID9fJW9AeyP mrEEdH3wQvh2C0BNQffwHQHBw5zUN26lLePZX4Pb0PJyqlRl3o8Pc80NeZ9TEC8= =nBBH -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts Eoin Miller (Oct 20)
- Re: missing pcaps for alerts Joel Esler (Oct 20)
- Re: missing pcaps for alerts John Ives (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 20)