[Snort-users] Wierd snort issue

Wed May 10 14:57:46 EDT 2017


I am running snort on a centOS 7 as shows in [1].  I installed it
off of snort.org pre-compiled rpm package.  I am also running PFring stable
rpm package "pfring-6.7.0-1220" on the centOS 7 Box.

I am getting traffic down a couple of SPAN links to my box.  Snort triggers
on some alerts just fine.  However snort does not trigger on all alerts
which I am expecting to see.

for e.g. I ran tcpdump on both the SPAN interface of snort machine and
captured the packet when I browsed to some site expecting the alerts to
trigger and it did not.  Now that I have the tcpdump pcap capture when I
played it back at the very same snort with the -r option I could see snort
showing that alert on the console.  What am I doing wrong?

snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 56)
   ''''    By Martin Roesch & The Snort Team:
           Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

