1. Home
  2. pfSense Packages
  3. No pcap with Snort Emerging Threats Alerts

No pcap with Snort Emerging Threats Alerts

  • M

    I've been playing with Snort after not using it for a while and I noticed that when an alert is generated from an Emerging Threats rule it does not generate a packet capture file. There are no settings that I can see that controls when traffic is logged to a pcap. Is this a bug or is there a setting I'm missing? Maybe there's an argument I can enter to have it capture packets on an alert?

    Running pfSense 2.1 release
    Snort 2.9.5.6 pkg v3.0.4

    0
  • P

    There is no such function.  At least not in the GUI … and have I never seen that capability mentioned for the pfSense package.

    Suricata has the ability to run a pcap on an interface, but it is continuous, not triggered by an alert.

    0
  • M

    The HTTP preprocessor creates a packet capture for every alert. I'm not sure about the regular VRT rules. It's stored in the /var/log/snort directory and you can download it using the "download" button on the alert tab. Of course you'd have to have an alert generated by the HTTP preprocessor for the file to be there but it's usually named something like snort.log.1396802778. Seems odd that one part of Snort performs this function but the rest of it doesn't.

    0
  • P

    I stand corrected … Thank You!!

    Now ... why does this not work for ET?!  ;D

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy