[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

Kumar, Mahendra mkumar at ...15250...
Tue Apr 26 18:25:20 EDT 2011

Hi Joel,
Can I capture packets in tcpdump mode in snort.log and simultaneously in unified format in some other file? If yes, how can I do that so that I can compare and see if the packets missing from snort.log (tcpdump) are in fact logged in unified format.

From: Joel Esler [mailto:jesler at ...1935...]
Sent: Tuesday, April 26, 2011 10:49 AM
To: Agustin Roca
Cc: snort-users at lists.sourceforge.net; Jason Brvenik
Subject: Re: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

-A cmg on the command line as the alert method.
On Tue, Apr 26, 2011 at 1:48 PM, Agustin Roca <agustin.roca at ...15205...<mailto:agustin.roca at ...15205...>> wrote:
Nice explanation Joel. Which snort flag/option can i use to see the Stream reassembled packet info?

2011/4/26 Joel Esler <jesler at ...1935...<mailto:jesler at ...1935...>>
Actually, Jason is right.  The alert is generated on the pseudo packet, this is correct functionality, so I've closed the bug.

So, James, using the pcap you gave me, I'll get rid of the IPs in the cut and paste here, but I'll make BOLD the line that indicates that the alert is actually on the pseudo packet, and not the individual packet.

snort -c snort.conf -r missed.pcap -A cmg -q

04/26-10:37:43.307954  [**] [1:12280:3] WEB-CLIENT Microsoft Internet Explorer VML source file memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} x.x.x.x:80 -> x.x.x.x:31390
Stream reassembled packet

Above, where is says "Stream reassembled packet" is your indication that the alert was not in fact on one packet, but on the reassembly of the packets.  We call this the pseudo packet.

If you output from Snort in Unified format, you have access to these packets.


On Tue, Apr 26, 2011 at 1:09 PM, Lay, James <james.lay at ...15009...<mailto:james.lay at ...15009...>> wrote:
Thanks for the response Jason...I ended up working with Joel on this and he has put in a bug fix.  Thanks again.


From: Jason Brvenik [mailto:jbrvenik at ...1935...<mailto:jbrvenik at ...1935...>]
Sent: Monday, April 25, 2011 5:14 PM
To: Lay, James; Kumar, Mahendra
Subject: Re: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

I would suspect that the event fires on pseudo packets, reassembled or normalized traffic. Can you enable unified2 and see if it is also missing there.
On Apr 25, 2011 6:58 PM, "Lay, James" <james.lay at ...15009...<mailto:james.lay at ...15009...>> wrote:
> From: Kumar, Mahendra [mailto:mkumar at ...15250...<mailto:mkumar at ...15254....>]
> Sent: Monday, April 25, 2011 3:50 PM
> To: snort-users at lists.sourceforge.net<mailto:snort-users at ...2652...e.net>
> Subject: [Snort-users] snort is logging alerts but not capturing
> corresponding packets for some rules
> Hi,
> I am using snort- with daq-0.5-9 and libpcap1-1.1.1-9 on Centos
> 5.5 (x86_64). I am not using any other thing like unified2, base,
> barnyard, mysql etc.
> My snort is working properly and I am getting alerts and packet captures
> in snort.log in tcpdump format.
> But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
> there is no packet capture in snort.log and it is very consistent
> behavior, i.e. I will never get packet captures for some of the rules
> but will always get alert so it is not a packet drop problem. It seems
> to be a config issue where the alert is logged but no packet captures.
> Please help me resolve this issue.
> Thanks,
> MK
> Welcome to my world...I've submitted this exact same item a few
> times....seems to be a mystery. I have snort boxes in a few different
> sites on a few different OS's....same thing though...I get the alert in
> the .fast file, but certain things just do not log to the pcap. I've
> had to work around this with full web traffic packet captures. The
> machines aren't even close to maxing CPU or memory, but the problem
> still persists. If anyone has some advice I'd love to hear it.
> James

WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Agustin Roca
Information Security Team
agustin.roca at ...15205...<mailto:agustin.roca at ...15205...>
work: 54+(011) 4109.1700 ext. 8098
cel: 54+(011)15-5022-3042

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110426/c3cc7ccc/attachment.html>

More information about the Snort-users mailing list