[Snort-users] Snort++ - PCAPs are missing some packets

João Soares joaosoares11 at ...125...
Thu Dec 22 09:11:16 EST 2016


Hi everyone,

I'm using Snort++ and saving both alert logs (alert_fast) and .pcaps of
the packets that triggered it. These are my configs:

log_pcap = {limit = 7, units = "M"}
alert_fast = {file = true, limit = 3, units = "G"}

I'm also using 12 threads, which means 12 alert or .pcap files are
created each time the respective size limit is reached.

It seems to be working for most cases, but there are some alerts that do
not have a corresponding packet, an example is this one:

12/22/16-14:04:15.520812 [**] [1:3827:14] "SERVER-WEBAPP PHP xmlrpc.php
post attempt" [**] [Classification: Web Application Attack] [Priority:
1] {TCP} xx.xxx.xxx.xxx:44584 -> xxx.xxx.xxx.xx:80

I've looked in every .pcap and I can't find anything, not even a packet
with this source IP

Am I missing some configuration? If you need any additional info, please
ask!

Thank you for your time,

Best wishes,

João Soares



More information about the Snort-users mailing list