Re: missing pcaps for alerts

[John Ives <jives () security berkeley edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/18/2011 5:37 PM, Joel Esler wrote:
> From your email, you are implying that you are getting packets for
> all other rules?
>
> What is your output method?

Correct.  Most of the rules triggered still seem to log packets and
they do it consistently.  The output methods did not change between
2.9.1.0 and 2.9.1.1 and are:

output log_tcpdump: snort.log
output alert_syslog:  LOG_LOCAL4 LOG_DEBUG
output alert_fast: alert

The alert_fast output was put in to double check the syslog alerts,
but like I said it wasn't changed.

Yours,

John



> On Oct 18, 2011, at 7:24 PM, John Ives
> <jives () security berkeley edu> wrote:
>
> Recently, after upgrading to 2.9.1.1 (from 2.9.1.0) on several
> FreeBSD sensors, I noticed that only some of the alerts are logging
> the pcap output from the alerts that it is putting in the local
> logs and sending via syslog.
>
> At first I noticed it in several Emerging Threats alerts, but today
> I also found that some of the VRT rules are also missing the 
> corresponding pcaps.
>
> The rules that are consistently missing pcaps for are:
>
> Emerging Threats Rules: 2011146 2011588 2011894 2012299 2012491 
> 2012609 2012612 2012616 2012799 2012801 2012893 2013076 2013093 
> 2013094 2013202 2013372 2013387 2013508 2013520 2013651 2013666 
> 2013686
>
>
> VRT Rules: 10196 10197 16008
>
> Snort information: Installed from FreeBSD ports with support for
> IPV6, GRE, DECODERPRE,ZLIB, PERFPROFILE OS: FreeBSD 8.1 64bit
>
> The missing packets are not intermittent, but consistent since the 
> upgrade.
>
> Thank you,
>
> John
>
>
> > ------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
> > definitive record of customers, application performance,
> > security threats, fraudulent activity and more. Splunk takes this
> > data and makes sense of it. Business sense. IT sense. Common
> > sense. http://p.sf.net/sfu/splunk-d2d-oct 
> > _______________________________________________ Snort-users
> > mailing list Snort-users () lists sourceforge net Go to this URL to
> > change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > Snort-users list archive: 
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the
> > latest Snort news!


- -- 
- -------------------------------------------------------------------------
John Ives
System & Network Security                           Phone (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOnh+2AAoJEJkidK6qbywste0H/j52DchfVVFmn8o6xHWObznH
oJYOVdniBmFELVgqOk/Vvlov9hrbRq9C3h/jB9wXSSWwkKOLq7Akc2vfIlL1K0dV
Ubd86zVGz4lCMnzk499/ly18c36uCZDiBUEJtmjUgNoBm2hDoTwbn4kGHTLKJSM5
nHeZW9T4ArIDG3KCz9OJ4gewljdeGgei623TVhyINnQCN+u9ayT7IkANqma2GQVd
BR7UJagCEFbl9+WH3TF9CjvJsEjUryFhH/R0fx8PetMd9nBggJTWYID9fJW9AeyP
mrEEdH3wQvh2C0BNQffwHQHBw5zUN26lLePZX4Pb0PJyqlRl3o8Pc80NeZ9TEC8=
=nBBH
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!