[Snort-users] Snort logs different than the stuff I see in BASE.

Bruno G. San Alejo bgonzalez at ...14528...
Fri Feb 27 10:09:34 EST 2009


    Hi, I had already done something like that with the -b option, but
since I'm a newbie with this stuff so I went into the snort.conf and
commented out the DB output and uncommented the option for the
log_tcpdump option. I don't know if it will work differently.

    In my time zone my job time ends in minutes and my parental duties
take over, so I don't think I'll be sending anything new till Monday
morning. :)

    Thanks.



   



Joel Esler wrote:
> Try this, don't output to database.  Try having Snort just output
> directly to pcap format, then we can try and figure out where the
> problem may lie.
>
> J
>
> On Fri, Feb 27, 2009 at 7:35 AM, Bruno G. San Alejo
> <bgonzalez at ...14528... <mailto:bgonzalez at ...14528...>> wrote:
>
>
>        Hello, I'm missing out something here because I have produced some
>     log files from snort and when I check them out with wireshark I cannot
>     find some alert packets that I see at BASE.
>
>        In detail, I see some ICMPs redirect messages in the logs (through
>     wireshark, they are in tcpdump format), but BASE shows just one. Also,
>     the mac addresses involved are not the same (I have just one sensor),
>     though the IPs are. I know this because the packet saved as pcap from
>     BASE and opened with Wireshark has plain wrong mac addresses.
>
>        I thought that some packets could get lost due to heavy load
>     (actually this is a live network, but I'm running snort non
>     promiscous).
>     But the discrepancies between what BASE shows me and what snort logs
>     makes me believe I'm doing something wrong.
>
>        Thanks.
>
>     ------------------------------------------------------------------------------
>     Open Source Business Conference (OSBC), March 24-25, 2009, San
>     Francisco, CA
>     -OSBC tackles the biggest issue in open source: Open Sourcing the
>     Enterprise
>     -Strategies to boost innovation and cut costs with open source
>     participation
>     -Receive a $600 discount off the registration fee with the source
>     code: SFAD
>     http://p.sf.net/sfu/XcvMzF8H
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users
>     <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>
>     list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> -- 
> Joel Esler
> T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> <mailto:jesler at ...1935...>
> [m]





More information about the Snort-users mailing list