4. Snort pcap files

Snort pcap files

  • J

    Looking through the Log management settings, I see the listing for "event pcaps", with the description "Snort alert related packet captures"

    What sort of pcaps does Snort create and keep by default? Is this adjustable? And is it possible to access the pcaps after an alert is generated (for instance to verify if an alert was a false positive, further troubleshoot etc). If so where are these pcaps stored on the pfSense file system?

    0
  • F

    /var/log/snort/interface

    Open with wireshark the file that start with snort.log.

    F.

    0

  • @fsansfil is spot on with his answer.  You will find all the files in the /var/log/snort tree.  In that tree there will be a subdirectory for each configured Snort interface.  The name will be a combination of a GUID and the physical interface name (for example, em0 is one if you have an older Intel NIC).

    Bill

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy