[Snort-users] What does snort pcaps include -->/var/log/snort/

amN0P at ...14399... amN0P at ...14399...
Wed Nov 23 12:31:39 EST 2011


I current have fast alerts turned ON for my Snort sensors running Linux variant. These fast alerts go to local syslog. By default I notificed pcap logs get stored in /var/log/snort. 

Just trying to figure out 2 things.

1. Are these pcap for ALL conventional text based rules that get triggered? Do these pcap include raw packet dumps for alerts triggered through so rules as well?

2. I noticied some botnet related alerts (fast alerts as noted above) and I wanted to drill into the packets using tcpdump so that I can double check if the alert is real or not. However I was not able to find that alert in tcpdump. What am I missing in configuration.

I tried searching and I was not able to narrow down on an answer. Thanks for your time. Will appreciate any help.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111123/8d00f739/attachment.html>

More information about the Snort-users mailing list