[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

Joel Esler jesler at ...1935...
Mon Apr 25 19:43:30 EDT 2011


I am more than willing to help you take a look if you have a pcap where you
can reproduce the issue, or specific rules that are not firing.

J

On Mon, Apr 25, 2011 at 6:49 PM, Lay, James <james.lay at ...15009...>wrote:

>
>
> *From:* Kumar, Mahendra [mailto:mkumar at ...15250...]
> *Sent:* Monday, April 25, 2011 3:50 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] snort is logging alerts but not capturing
> corresponding packets for some rules
>
>
>
> Hi,
>
>
>
> I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos 5.5
> (x86_64). I am not using any other thing like unified2, base, barnyard,
> mysql etc.
>
> My snort is working properly and I am getting alerts and packet captures in
> snort.log in tcpdump format.
>
> But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
> there is no packet capture in snort.log and it is very consistent behavior,
> i.e. I will never get packet captures for some of the rules but will always
> get alert so it is not a packet drop problem. It seems to be a config issue
> where the alert is logged but no packet captures.
>
> Please help me resolve this issue.
>
>
>
> Thanks,
>
> MK
>
>
>
>
>
>
>
>
>
> Welcome to my world…I’ve submitted this exact same item a few times….seems
> to be a mystery.  I have snort boxes in a few different sites on a few
> different OS’s….same thing though…I get the alert in the .fast file, but
> certain things just do not log to the pcap.  I’ve had to work around this
> with full web traffic packet captures.  The machines aren’t even close to
> maxing CPU or memory, but the problem still persists.  If anyone has some
> advice I’d love to hear it.
>
>
>
> James
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110425/d28602af/attachment.html>


More information about the Snort-users mailing list