[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

Joel Esler jesler at ...1935...
Tue Apr 26 13:08:16 EDT 2011


Following up to the list.  James and I were able to exchange some pcaps and
such offline and were able to reproduce the issue, I've placed a bug into
the system to fix the issue.  I'll update when there's progress.

Joel

On Mon, Apr 25, 2011 at 8:29 PM, Joel Esler <jesler at ...1935...> wrote:

> If you can reproduce the issue, we'll fix it.
>
>
> On Mon, Apr 25, 2011 at 7:55 PM, James Lay <jlay at ...13475...>wrote:
>
>> Howdy Joel :)
>>
>> The issue is just that my friend….some alerts fire, log to the .fast file
>> (even enabled the .full one as well), but when you go to the pcap, it's just
>> not there.  I can see other entries before and after, but not the one that I
>> was looking for.  Odd thing is, most of the ones that miss are WEB-* ones.
>>  I'll see what I can find tomorrow when I get to work to put together…I know
>> I've got instances where the alert fired, logged to the fast, didn't in the
>> snort pcap, but I have a pcap in my FPC.  Thanks again.
>>
>> James
>>
>> From: Joel Esler <jesler at ...1935...>
>> Date: Mon, 25 Apr 2011 19:43:30 -0400
>> To: "Lay, James" <james.lay at ...15009...>
>> Cc: Snort <snort-users at lists.sourceforge.net>
>> Subject: Re: [Snort-users] snort is logging alerts but not capturing
>> corresponding packets for some rules
>>
>> I am more than willing to help you take a look if you have a pcap where
>> you can reproduce the issue, or specific rules that are not firing.
>>
>> J
>>
>> On Mon, Apr 25, 2011 at 6:49 PM, Lay, James <james.lay at ...15009...>wrote:
>>
>>>
>>>
>>> *From:* Kumar, Mahendra [mailto:mkumar at ...15250...]
>>> *Sent:* Monday, April 25, 2011 3:50 PM
>>> *To:* snort-users at lists.sourceforge.net
>>> *Subject:* [Snort-users] snort is logging alerts but not capturing
>>> corresponding packets for some rules
>>>
>>>
>>>
>>> Hi,
>>>
>>>
>>>
>>> I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos
>>> 5.5 (x86_64). I am not using any other thing like unified2, base, barnyard,
>>> mysql etc.
>>>
>>> My snort is working properly and I am getting alerts and packet captures
>>> in snort.log in tcpdump format.
>>>
>>> But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
>>> there is no packet capture in snort.log and it is very consistent behavior,
>>> i.e. I will never get packet captures for some of the rules but will always
>>> get alert so it is not a packet drop problem. It seems to be a config issue
>>> where the alert is logged but no packet captures.
>>>
>>> Please help me resolve this issue.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> MK
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Welcome to my world…I’ve submitted this exact same item a few
>>> times….seems to be a mystery.  I have snort boxes in a few different sites
>>> on a few different OS’s….same thing though…I get the alert in the .fast
>>> file, but certain things just do not log to the pcap.  I’ve had to work
>>> around this with full web traffic packet captures.  The machines aren’t even
>>> close to maxing CPU or memory, but the problem still persists.  If anyone
>>> has some advice I’d love to hear it.
>>>
>>>
>>>
>>> James
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> WhatsUp Gold - Download Free Network Management Software
>>> The most intuitive, comprehensive, and cost-effective network
>>> management toolset available today.  Delivers lowest initial
>>> acquisition cost and overall TCO of any competing solution.
>>> http://p.sf.net/sfu/whatsupgold-sd
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software The most intuitive,
>> comprehensive, and cost-effective network management toolset available
>> today. Delivers lowest initial acquisition cost and overall TCO of any
>> competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd_______________________________________________Snort-users mailing list
>> Snort-users at lists.sourceforge.net Go to this URL to change user options
>> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110426/a2c9456e/attachment.html>


More information about the Snort-users mailing list