Rule is triggering when read from pcap but not during live capture

["Bryant, Alex B. (CDC/OCOO/OCIO)" <ize1 () cdc gov>]

I implemented the following rule:

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool SMBv2"; 
flow:to_server,established; content:"|FE|SMB"; depth:8; nocase; content:"|05 00|"; within:2; distance:8; 
content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C|00|"; fast_pattern:only; metadata:service netbios-ssn; 
reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx<http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx>;
 classtype:policy-violation; sid:30281; rev:1;)

...but in testing, the corresponding traffic only generates an alert when read into Snort in a .pcap - not in 
production / live capture. I captured the pcap on the sensor itself, using the Snort capture interfact (verified 
several times that I'm using the right interface), and when I ran the pcap through Snort, it triggered the alert.

Any ideas as to why a live capture does not trigger this alert, but reading in a pcap of the exact same traffic would?

Thanks!
--Alex

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!