Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No pcap with Snort Emerging Threats Alerts

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Matthias
      last edited by

      I've been playing with Snort after not using it for a while and I noticed that when an alert is generated from an Emerging Threats rule it does not generate a packet capture file. There are no settings that I can see that controls when traffic is logged to a pcap. Is this a bug or is there a setting I'm missing? Maybe there's an argument I can enter to have it capture packets on an alert?

      Running pfSense 2.1 release
      Snort 2.9.5.6 pkg v3.0.4

      1 Reply Last reply Reply Quote 0
      • P
        priller
        last edited by

        There is no such function.  At least not in the GUI … and have I never seen that capability mentioned for the pfSense package.

        Suricata has the ability to run a pcap on an interface, but it is continuous, not triggered by an alert.

        1 Reply Last reply Reply Quote 0
        • M
          Matthias
          last edited by

          The HTTP preprocessor creates a packet capture for every alert. I'm not sure about the regular VRT rules. It's stored in the /var/log/snort directory and you can download it using the "download" button on the alert tab. Of course you'd have to have an alert generated by the HTTP preprocessor for the file to be there but it's usually named something like snort.log.1396802778. Seems odd that one part of Snort performs this function but the rest of it doesn't.

          1 Reply Last reply Reply Quote 0
          • P
            priller
            last edited by

            I stand corrected … Thank You!!

            Now ... why does this not work for ET?!  ;D

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.