[Snort-users] Snort logs different than the stuff I see in BASE.

Bruno G. San Alejo bgonzalez at ...14528...
Fri Feb 27 07:35:37 EST 2009


    Hello, I'm missing out something here because I have produced some
log files from snort and when I check them out with wireshark I cannot
find some alert packets that I see at BASE.

    In detail, I see some ICMPs redirect messages in the logs (through
wireshark, they are in tcpdump format), but BASE shows just one. Also,
the mac addresses involved are not the same (I have just one sensor),
though the IPs are. I know this because the packet saved as pcap from
BASE and opened with Wireshark has plain wrong mac addresses.

    I thought that some packets could get lost due to heavy load
(actually this is a live network, but I'm running snort non promiscous).
But the discrepancies between what BASE shows me and what snort logs
makes me believe I'm doing something wrong.

    Thanks.




More information about the Snort-users mailing list