[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

Kumar, Mahendra mkumar at ...15250...
Mon Apr 25 17:50:11 EDT 2011


Hi,

I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos 5.5 (x86_64). I am not using any other thing like unified2, base, barnyard, mysql etc.
My snort is working properly and I am getting alerts and packet captures in snort.log in tcpdump format.
But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but there is no packet capture in snort.log and it is very consistent behavior, i.e. I will never get packet captures for some of the rules but will always get alert so it is not a packet drop problem. It seems to be a config issue where the alert is logged but no packet captures.
Please help me resolve this issue.

Thanks,
MK

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110425/eabc187c/attachment.html>


More information about the Snort-users mailing list