[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

Joel Esler jesler at ...1935...
Wed Apr 27 14:46:37 EDT 2011


No.  They are in unified.

On Wed, Apr 27, 2011 at 2:02 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 4/26/2011 14:57, Joel Esler wrote:
> > No, it's my fault, I should have recognized the problem.
> >
> > Alerts that are not based off of the pseudo packet are logged to tcpdump.
> >
> > The pseudo packet is created by stream5 internal to Snort to be able to
> fire on
> > stream reassembled traffic (such as this).  It's only externally logged
> via unified.
>
> so... we don't get a pcap of the packets used in the reassembly so that we
> can
> snoop the actual traffic?? if so, that doesn't seem right... we get pcaps
> for
> all the other alerts but just not for ones reassembled... am i
> understanding
> that correctly?
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110427/755049ab/attachment.html>


More information about the Snort-users mailing list