3. No pcap with Snort Emerging Threats Alerts

No pcap with Snort Emerging Threats Alerts

  • M

    I've been playing with Snort after not using it for a while and I noticed that when an alert is generated from an Emerging Threats rule it does not generate a packet capture file. There are no settings that I can see that controls when traffic is logged to a pcap. Is this a bug or is there a setting I'm missing? Maybe there's an argument I can enter to have it capture packets on an alert?

    Running pfSense 2.1 release
    Snort 2.9.5.6 pkg v3.0.4

    0
  • P

    There is no such function.  At least not in the GUI … and have I never seen that capability mentioned for the pfSense package.

    Suricata has the ability to run a pcap on an interface, but it is continuous, not triggered by an alert.

    0
  • M

    The HTTP preprocessor creates a packet capture for every alert. I'm not sure about the regular VRT rules. It's stored in the /var/log/snort directory and you can download it using the "download" button on the alert tab. Of course you'd have to have an alert generated by the HTTP preprocessor for the file to be there but it's usually named something like snort.log.1396802778. Seems odd that one part of Snort performs this function but the rest of it doesn't.

    0
  • P

    I stand corrected … Thank You!!

    Now ... why does this not work for ET?!  ;D

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy