[Snort-users] Snort /var/log/snort/tcpdump<>

Amit B amn0p at ...14399...
Tue Dec 27 08:49:12 EST 2011


Nope, my issue is no pcap logs for certain alerts. Some of them are triggered from text rules (not so rules)

Thanks


On Dec 26, 2011, at 23:50, Eoin Miller <eoin.miller at ...14586...> wrote:

> Are there multiple alerts for the same session? There appears to be a bug where only the first alert has logged packets in the unified2 output. This could be the same issue effecting the PCAP output.
> 
> -- Eoin
> 
> On Dec 26, 2011, at 10:52 PM, amN0P at ...14399... wrote:
> 
>> Hi everyone,
>> 
>> I am sending Snort alerts to central syslog server. If I want more insight I go to /var/log/snort/tcpdumpxxx pcap files to learn what triggered the alert.
>> 
>> Many a times I dont see a equivalent pcap log for syslog alert. What do these tcpdump pcap contain and no contain. Does it have full packet dumps of all alerts triggered from rules file but not from so rules? Can someone please clarify. Thanks.
>> 
>> -Ams
>> ------------------------------------------------------------------------------
>> Write once. Port to many.
>> Get the SDK and tools to simplify cross-platform app development. Create 
>> new or port existing apps to sell to consumers worldwide. Explore the 
>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>> http://p.sf.net/sfu/intel-appdev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list