Snort++ - PCAPs are missing some packets

[João Soares <joaosoares11 () hotmail com>]

Hi everyone,

I'm using Snort++ and saving both alert logs (alert_fast) and .pcaps of
the packets that triggered it. These are my configs:

log_pcap = {limit = 7, units = "M"}
alert_fast = {file = true, limit = 3, units = "G"}

I'm also using 12 threads, which means 12 alert or .pcap files are
created each time the respective size limit is reached.

It seems to be working for most cases, but there are some alerts that do
not have a corresponding packet, an example is this one:

12/22/16-14:04:15.520812 [**] [1:3827:14] "SERVER-WEBAPP PHP xmlrpc.php
post attempt" [**] [Classification: Web Application Attack] [Priority:
1] {TCP} xx.xxx.xxx.xxx:44584 -> xxx.xxx.xxx.xx:80

I've looked in every .pcap and I can't find anything, not even a packet
with this source IP

Am I missing some configuration? If you need any additional info, please
ask!

Thank you for your time,

Best wishes,

João Soares

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!