Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort is logging alerts but not capturing corresponding packets for some rules

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 26 Apr 2011 13:08:16 -0400
Following up to the list.  James and I were able to exchange some pcaps and
such offline and were able to reproduce the issue, I've placed a bug into
the system to fix the issue.  I'll update when there's progress.

Joel

On Mon, Apr 25, 2011 at 8:29 PM, Joel Esler <jesler () sourcefire com> wrote:


If you can reproduce the issue, we'll fix it.


On Mon, Apr 25, 2011 at 7:55 PM, James Lay <jlay () slave-tothe-box net>wrote:


Howdy Joel :)

The issue is just that my friend….some alerts fire, log to the .fast file
(even enabled the .full one as well), but when you go to the pcap, it's just
not there.  I can see other entries before and after, but not the one that I
was looking for.  Odd thing is, most of the ones that miss are WEB-* ones.
 I'll see what I can find tomorrow when I get to work to put together…I know
I've got instances where the alert fired, logged to the fast, didn't in the
snort pcap, but I have a pcap in my FPC.  Thanks again.

James

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 25 Apr 2011 19:43:30 -0400
To: "Lay, James" <james.lay () wincofoods com>
Cc: Snort <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] snort is logging alerts but not capturing
corresponding packets for some rules

I am more than willing to help you take a look if you have a pcap where
you can reproduce the issue, or specific rules that are not firing.

J

On Mon, Apr 25, 2011 at 6:49 PM, Lay, James <james.lay () wincofoods com>wrote:




*From:* Kumar, Mahendra [mailto:mkumar () intacct com]
*Sent:* Monday, April 25, 2011 3:50 PM
*To:* snort-users () lists sourceforge net
*Subject:* [Snort-users] snort is logging alerts but not capturing
corresponding packets for some rules



Hi,



I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos
5.5 (x86_64). I am not using any other thing like unified2, base, barnyard,
mysql etc.

My snort is working properly and I am getting alerts and packet captures
in snort.log in tcpdump format.

But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
there is no packet capture in snort.log and it is very consistent behavior,
i.e. I will never get packet captures for some of the rules but will always
get alert so it is not a packet drop problem. It seems to be a config issue
where the alert is logged but no packet captures.

Please help me resolve this issue.



Thanks,

MK









Welcome to my world…I’ve submitted this exact same item a few
times….seems to be a mystery.  I have snort boxes in a few different sites
on a few different OS’s….same thing though…I get the alert in the .fast
file, but certain things just do not log to the pcap.  I’ve had to work
around this with full web traffic packet captures.  The machines aren’t even
close to maxing CPU or memory, but the problem still persists.  If anyone
has some advice I’d love to hear it.



James


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software The most intuitive,
comprehensive, and cost-effective network management toolset available
today. Delivers lowest initial acquisition cost and overall TCO of any
competing solution.
http://p.sf.net/sfu/whatsupgold-sd_______________________________________________Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: