Snort mailing list archives
Snort++ - PCAPs are missing some packets
From: João Soares <joaosoares11 () hotmail com>
Date: Thu, 22 Dec 2016 14:11:16 +0000
Hi everyone, I'm using Snort++ and saving both alert logs (alert_fast) and .pcaps of the packets that triggered it. These are my configs: log_pcap = {limit = 7, units = "M"} alert_fast = {file = true, limit = 3, units = "G"} I'm also using 12 threads, which means 12 alert or .pcap files are created each time the respective size limit is reached. It seems to be working for most cases, but there are some alerts that do not have a corresponding packet, an example is this one: 12/22/16-14:04:15.520812 [**] [1:3827:14] "SERVER-WEBAPP PHP xmlrpc.php post attempt" [**] [Classification: Web Application Attack] [Priority: 1] {TCP} xx.xxx.xxx.xxx:44584 -> xxx.xxx.xxx.xx:80 I've looked in every .pcap and I can't find anything, not even a packet with this source IP Am I missing some configuration? If you need any additional info, please ask! Thank you for your time, Best wishes, João Soares ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort++ - PCAPs are missing some packets João Soares (Dec 22)