Snort mailing list archives
Re: Rules not hit on 2.9.1.1 sensor
From: Martin Holste <mcholste () gmail com>
Date: Thu, 20 Oct 2011 11:48:02 -0500
You will need a full pcap to reproduce the issue correctly. The tcpdump.log will only have the packet the alert hit on, not the full stream. Use something like daemonlogger, sancp, or ipaudit to do full pcap, which you should really do anyway. On Thu, Oct 20, 2011 at 11:20 AM, Peter Bates <peter.bates () ucl ac uk> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all... On 20/10/2011 16:33, Martin Holste wrote:The same happens on 2.9.1.1 when using a pcap readfile?I've tried with the following: snort -c /etc/snort/pcap.conf -r tcpdump.log -A console -q 'pcap.conf' is similar to my snort.conf but with afpacket DAQ commented out and only including one ruleset. However this doesn't work on my 2.8.6 box either with a tcpdump.log generated from the actual alert so I'm obviously using the -r option incorrectly! - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOoEpnAAoJELhVoVpEMS6RI1EIAIjvRYpchDBjgesI0rOLsE8P /z87i2S1MCT4+RJpHZxuC26iJlFM0z5jBCIhLacgE547+G4nZXmRU/eMCBxynvcU xfAf/PSG2L4WSCb2CrOjQG9x4wYPHLFN28OiQ2KqvKSp4SDxMoG2m1AQZweqM/Jy RSr0K5/gI7z1Ddas7nN2AnkS/8YtpJ+So0ywIxzmgXiJCfSaa5cS40M3qwtUw8T0 gODbXcD/nEmRtA2R/T9sk8u3c7oN3t8OQdRVAo5mzDaI3vyRAyO230KYpoF952zt Aao4UwzsfpTMbhAhPwPlmeM1O0b4kLZwad6BYbvEASIQk2TKqVEo0zj+u9GWwWo= =CtoH -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Ciosco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Ciosco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Joel Esler (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 21)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)