No pcap with Snort Emerging Threats Alerts



  • I've been playing with Snort after not using it for a while and I noticed that when an alert is generated from an Emerging Threats rule it does not generate a packet capture file. There are no settings that I can see that controls when traffic is logged to a pcap. Is this a bug or is there a setting I'm missing? Maybe there's an argument I can enter to have it capture packets on an alert?

    Running pfSense 2.1 release
    Snort 2.9.5.6 pkg v3.0.4



  • There is no such function.  At least not in the GUI … and have I never seen that capability mentioned for the pfSense package.

    Suricata has the ability to run a pcap on an interface, but it is continuous, not triggered by an alert.



  • The HTTP preprocessor creates a packet capture for every alert. I'm not sure about the regular VRT rules. It's stored in the /var/log/snort directory and you can download it using the "download" button on the alert tab. Of course you'd have to have an alert generated by the HTTP preprocessor for the file to be there but it's usually named something like snort.log.1396802778. Seems odd that one part of Snort performs this function but the rest of it doesn't.



  • I stand corrected … Thank You!!

    Now ... why does this not work for ET?!  ;D


Log in to reply