[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

Joel Esler jesler at ...1935...
Mon Apr 25 20:29:17 EDT 2011


If you can reproduce the issue, we'll fix it.

On Mon, Apr 25, 2011 at 7:55 PM, James Lay <jlay at ...13475...> wrote:

> Howdy Joel :)
>
> The issue is just that my friend….some alerts fire, log to the .fast file
> (even enabled the .full one as well), but when you go to the pcap, it's just
> not there.  I can see other entries before and after, but not the one that I
> was looking for.  Odd thing is, most of the ones that miss are WEB-* ones.
>  I'll see what I can find tomorrow when I get to work to put together…I know
> I've got instances where the alert fired, logged to the fast, didn't in the
> snort pcap, but I have a pcap in my FPC.  Thanks again.
>
> James
>
> From: Joel Esler <jesler at ...1935...>
> Date: Mon, 25 Apr 2011 19:43:30 -0400
> To: "Lay, James" <james.lay at ...15009...>
> Cc: Snort <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] snort is logging alerts but not capturing
> corresponding packets for some rules
>
> I am more than willing to help you take a look if you have a pcap where you
> can reproduce the issue, or specific rules that are not firing.
>
> J
>
> On Mon, Apr 25, 2011 at 6:49 PM, Lay, James <james.lay at ...15009...>wrote:
>
>>
>>
>> *From:* Kumar, Mahendra [mailto:mkumar at ...15250...]
>> *Sent:* Monday, April 25, 2011 3:50 PM
>> *To:* snort-users at lists.sourceforge.net
>> *Subject:* [Snort-users] snort is logging alerts but not capturing
>> corresponding packets for some rules
>>
>>
>>
>> Hi,
>>
>>
>>
>> I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos 5.5
>> (x86_64). I am not using any other thing like unified2, base, barnyard,
>> mysql etc.
>>
>> My snort is working properly and I am getting alerts and packet captures
>> in snort.log in tcpdump format.
>>
>> But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
>> there is no packet capture in snort.log and it is very consistent behavior,
>> i.e. I will never get packet captures for some of the rules but will always
>> get alert so it is not a packet drop problem. It seems to be a config issue
>> where the alert is logged but no packet captures.
>>
>> Please help me resolve this issue.
>>
>>
>>
>> Thanks,
>>
>> MK
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Welcome to my world…I’ve submitted this exact same item a few times….seems
>> to be a mystery.  I have snort boxes in a few different sites on a few
>> different OS’s….same thing though…I get the alert in the .fast file, but
>> certain things just do not log to the pcap.  I’ve had to work around this
>> with full web traffic packet captures.  The machines aren’t even close to
>> maxing CPU or memory, but the problem still persists.  If anyone has some
>> advice I’d love to hear it.
>>
>>
>>
>> James
>>
>>
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software The most intuitive,
> comprehensive, and cost-effective network management toolset available
> today. Delivers lowest initial acquisition cost and overall TCO of any
> competing solution.
> http://p.sf.net/sfu/whatsupgold-sd_______________________________________________Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options or
> unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110425/04bc9d7d/attachment.html>


More information about the Snort-users mailing list