[Snort-users] Snort logs different than the stuff I see in BASE.

Joel Esler eslerj at ...11827...
Fri Feb 27 09:48:43 EST 2009

Try this, don't output to database.  Try having Snort just output directly
to pcap format, then we can try and figure out where the problem may lie.

On Fri, Feb 27, 2009 at 7:35 AM, Bruno G. San Alejo <bgonzalez at ...14528...>wrote:

>    Hello, I'm missing out something here because I have produced some
> log files from snort and when I check them out with wireshark I cannot
> find some alert packets that I see at BASE.
>    In detail, I see some ICMPs redirect messages in the logs (through
> wireshark, they are in tcpdump format), but BASE shows just one. Also,
> the mac addresses involved are not the same (I have just one sensor),
> though the IPs are. I know this because the packet saved as pcap from
> BASE and opened with Wireshark has plain wrong mac addresses.
>    I thought that some packets could get lost due to heavy load
> (actually this is a live network, but I'm running snort non promiscous).
> But the discrepancies between what BASE shows me and what snort logs
> makes me believe I'm doing something wrong.
>    Thanks.
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
> CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the
> Enterprise
> -Strategies to boost innovation and cut costs with open source
> participation
> -Receive a $600 discount off the registration fee with the source code:
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090227/2d5b6312/attachment.html>

More information about the Snort-users mailing list