Snort pcap files
Looking through the Log management settings, I see the listing for "event pcaps", with the description "Snort alert related packet captures"
What sort of pcaps does Snort create and keep by default? Is this adjustable? And is it possible to access the pcaps after an alert is generated (for instance to verify if an alert was a false positive, further troubleshoot etc). If so where are these pcaps stored on the pfSense file system?
Open with wireshark the file that start with snort.log.
bmeeks last edited by
@fsansfil is spot on with his answer. You will find all the files in the /var/log/snort tree. In that tree there will be a subdirectory for each configured Snort interface. The name will be a combination of a GUID and the physical interface name (for example, em0 is one if you have an older Intel NIC).