Snort mailing list archives

log_tcpdump does not log

From: Han Boetes <hboetes () utelisys com>
Date: Mon, 19 Mar 2012 12:59:23 +0100
Hi,

I am trying to look if packetfence is generating a false positive or not
on certain packages and to get that I would like to capture the packets
that generated an alert with log_tcpdump into a file.

Snort starts fine with that line in the configuration but the file isn't
generated after alerts. Yes snort can write to the given directory.

Actually I have three machines running snort and it works on one and not
the other two.



hboetes@oink /etc/snort % snort --version
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.1 IPv6 GRE (Build 71)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.5

hboetes@oink /etc/snort % l /var/log/snort/tcpdump.log.133*
-rw------- 1 root root 8.0M Mar 19 12:47
/var/log/snort/tcpdump.log.1332123032
hboetes@oink /etc/snort % stripcom snort.conf|grep tcpdump
output log_tcpdump: tcpdump.log


hboetes@ds2 /usr/local/pf/conf % snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.5

hboetes@ds2 /usr/local/pf/conf % stripcom
/usr/local/pf/conf/snort.conf|grep tcpdump
output log_tcpdump: /usr/local/pf/var/tcpdump.log
% ls /usr/local/pf/var/tcpdump.log*
zsh: no matches found: /usr/local/pf/var/tcpdump.log*

hboetes@ds1 ~ % snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.1 IPv6 GRE (Build 107)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

hboetes@ds1 ~ % stripcom /usr/local/pf/var/conf/snort.conf|grep tcpdump
output log_tcpdump: /usr/local/pf/var/violation_pcap
hboetes@ds1 ~ % l /usr/local/pf/var/violation_pcap*
zsh: no matches found: /usr/local/pf/var/violation_pcap*
hboetes@ds1 ~ % pg snort
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
pf        1322 20.6  0.5  67900 43860 ?        Ssl  12:57   0:02
/usr/sbin/snort -u pf -c /usr/local/pf/var/conf/snort.conf -i eth1 -N -D
-l /usr/local/pf/var --pid-path /usr/local/pf/var/run

Met vriendelijke groet,


Han Boetes

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Current thread:

log_tcpdump does not log Han Boetes (Mar 19)
- Re: log_tcpdump does not log Han Boetes (Mar 19)