[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

waldo kitty wkitty42 at ...14940...
Wed Apr 27 14:02:47 EDT 2011


On 4/26/2011 14:57, Joel Esler wrote:
> No, it's my fault, I should have recognized the problem.
>
> Alerts that are not based off of the pseudo packet are logged to tcpdump.
>
> The pseudo packet is created by stream5 internal to Snort to be able to fire on
> stream reassembled traffic (such as this).  It's only externally logged via unified.

so... we don't get a pcap of the packets used in the reassembly so that we can 
snoop the actual traffic?? if so, that doesn't seem right... we get pcaps for 
all the other alerts but just not for ones reassembled... am i understanding 
that correctly?




More information about the Snort-users mailing list