[Snort-devel] log_tcpdump does not log

Han Boetes hboetes at ...3267...
Mon Mar 19 07:59:23 EDT 2012


Hi,

I am trying to look if packetfence is generating a false positive or not
on certain packages and to get that I would like to capture the packets
that generated an alert with log_tcpdump into a file.

Snort starts fine with that line in the configuration but the file isn't
generated after alerts. Yes snort can write to the given directory.

Actually I have three machines running snort and it works on one and not
the other two.



hboetes at ...3268... /etc/snort % snort --version
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.1 IPv6 GRE (Build 71)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.5

hboetes at ...3268... /etc/snort % l /var/log/snort/tcpdump.log.133*
-rw------- 1 root root 8.0M Mar 19 12:47
/var/log/snort/tcpdump.log.1332123032
hboetes at ...3268... /etc/snort % stripcom snort.conf|grep tcpdump
output log_tcpdump: tcpdump.log


hboetes at ...3269... /usr/local/pf/conf % snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.5

hboetes at ...3269... /usr/local/pf/conf % stripcom
/usr/local/pf/conf/snort.conf|grep tcpdump
output log_tcpdump: /usr/local/pf/var/tcpdump.log
% ls /usr/local/pf/var/tcpdump.log*
zsh: no matches found: /usr/local/pf/var/tcpdump.log*

hboetes at ...3270... ~ % snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.1 IPv6 GRE (Build 107)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

hboetes at ...3270... ~ % stripcom /usr/local/pf/var/conf/snort.conf|grep tcpdump
output log_tcpdump: /usr/local/pf/var/violation_pcap
hboetes at ...3270... ~ % l /usr/local/pf/var/violation_pcap*
zsh: no matches found: /usr/local/pf/var/violation_pcap*
hboetes at ...3270... ~ % pg snort
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
pf        1322 20.6  0.5  67900 43860 ?        Ssl  12:57   0:02
/usr/sbin/snort -u pf -c /usr/local/pf/var/conf/snort.conf -i eth1 -N -D
-l /usr/local/pf/var --pid-path /usr/local/pf/var/run

Met vriendelijke groet,


Han Boetes




More information about the Snort-devel mailing list