[Snort-users] Snort logs different than the stuff I see in BASE.

Joel Esler eslerj at ...11827...
Fri Feb 27 09:48:43 EST 2009


Try this, don't output to database.  Try having Snort just output directly
to pcap format, then we can try and figure out where the problem may lie.
J

On Fri, Feb 27, 2009 at 7:35 AM, Bruno G. San Alejo <bgonzalez at ...14528...>wrote:

>
>    Hello, I'm missing out something here because I have produced some
> log files from snort and when I check them out with wireshark I cannot
> find some alert packets that I see at BASE.
>
>    In detail, I see some ICMPs redirect messages in the logs (through
> wireshark, they are in tcpdump format), but BASE shows just one. Also,
> the mac addresses involved are not the same (I have just one sensor),
> though the IPs are. I know this because the packet saved as pcap from
> BASE and opened with Wireshark has plain wrong mac addresses.
>
>    I thought that some packets could get lost due to heavy load
> (actually this is a live network, but I'm running snort non promiscous).
> But the discrepancies between what BASE shows me and what snort logs
> makes me believe I'm doing something wrong.
>
>    Thanks.
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
> CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the
> Enterprise
> -Strategies to boost innovation and cut costs with open source
> participation
> -Receive a $600 discount off the registration fee with the source code:
> SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090227/2d5b6312/attachment.html>


More information about the Snort-users mailing list