[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules
james.lay at ...15009...
Mon Apr 25 18:49:58 EDT 2011
From: Kumar, Mahendra [mailto:mkumar at ...15250...]
Sent: Monday, April 25, 2011 3:50 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snort is logging alerts but not capturing
corresponding packets for some rules
I am using snort-220.127.116.11 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos
5.5 (x86_64). I am not using any other thing like unified2, base,
barnyard, mysql etc.
My snort is working properly and I am getting alerts and packet captures
in snort.log in tcpdump format.
But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
there is no packet capture in snort.log and it is very consistent
behavior, i.e. I will never get packet captures for some of the rules
but will always get alert so it is not a packet drop problem. It seems
to be a config issue where the alert is logged but no packet captures.
Please help me resolve this issue.
Welcome to my world...I've submitted this exact same item a few
times....seems to be a mystery. I have snort boxes in a few different
sites on a few different OS's....same thing though...I get the alert in
the .fast file, but certain things just do not log to the pcap. I've
had to work around this with full web traffic packet captures. The
machines aren't even close to maxing CPU or memory, but the problem
still persists. If anyone has some advice I'd love to hear it.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users