[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules
mkumar at ...15250...
Mon Apr 25 17:50:11 EDT 2011
I am using snort-220.127.116.11 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos 5.5 (x86_64). I am not using any other thing like unified2, base, barnyard, mysql etc.
My snort is working properly and I am getting alerts and packet captures in snort.log in tcpdump format.
But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but there is no packet capture in snort.log and it is very consistent behavior, i.e. I will never get packet captures for some of the rules but will always get alert so it is not a packet drop problem. It seems to be a config issue where the alert is logged but no packet captures.
Please help me resolve this issue.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users