Re: Rules not hit on 2.9.1.1 sensor

[Martin Holste <mcholste () gmail com>]

You will need a full pcap to reproduce the issue correctly.  The
tcpdump.log will only have the packet the alert hit on, not the full
stream.  Use something like daemonlogger, sancp, or ipaudit to do full
pcap, which you should really do anyway.

On Thu, Oct 20, 2011 at 11:20 AM, Peter Bates <peter.bates () ucl ac uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all...
>
> On 20/10/2011 16:33, Martin Holste wrote:
> > The same happens on 2.9.1.1 when using a pcap readfile?
>
> I've tried with the following:
>
> snort -c /etc/snort/pcap.conf -r tcpdump.log -A console -q
>
> 'pcap.conf' is similar to my snort.conf but with afpacket DAQ
> commented out and only including one ruleset.
>
> However this doesn't work on my 2.8.6 box either with a tcpdump.log
> generated from the actual alert so I'm obviously using the -r option
> incorrectly!
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJOoEpnAAoJELhVoVpEMS6RI1EIAIjvRYpchDBjgesI0rOLsE8P
> /z87i2S1MCT4+RJpHZxuC26iJlFM0z5jBCIhLacgE547+G4nZXmRU/eMCBxynvcU
> xfAf/PSG2L4WSCb2CrOjQG9x4wYPHLFN28OiQ2KqvKSp4SDxMoG2m1AQZweqM/Jy
> RSr0K5/gI7z1Ddas7nN2AnkS/8YtpJ+So0ywIxzmgXiJCfSaa5cS40M3qwtUw8T0
> gODbXcD/nEmRtA2R/T9sk8u3c7oN3t8OQdRVAo5mzDaI3vyRAyO230KYpoF952zt
> Aao4UwzsfpTMbhAhPwPlmeM1O0b4kLZwad6BYbvEASIQk2TKqVEo0zj+u9GWwWo=
> =CtoH
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Ciosco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!