[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules
wkitty42 at ...14940...
Wed Apr 27 14:02:47 EDT 2011
On 4/26/2011 14:57, Joel Esler wrote:
> No, it's my fault, I should have recognized the problem.
> Alerts that are not based off of the pseudo packet are logged to tcpdump.
> The pseudo packet is created by stream5 internal to Snort to be able to fire on
> stream reassembled traffic (such as this). It's only externally logged via unified.
so... we don't get a pcap of the packets used in the reassembly so that we can
snoop the actual traffic?? if so, that doesn't seem right... we get pcaps for
all the other alerts but just not for ones reassembled... am i understanding
More information about the Snort-users