Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort pcap files

    Scheduled Pinned Locked Moved
    IDS/IPS
    3
    3
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffhammett
      last edited by

      Looking through the Log management settings, I see the listing for "event pcaps", with the description "Snort alert related packet captures"

      What sort of pcaps does Snort create and keep by default? Is this adjustable? And is it possible to access the pcaps after an alert is generated (for instance to verify if an alert was a false positive, further troubleshoot etc). If so where are these pcaps stored on the pfSense file system?

      1 Reply Last reply Reply Quote 0
      • F
        fsansfil
        last edited by

        /var/log/snort/interface

        Open with wireshark the file that start with snort.log.

        F.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @fsansfil is spot on with his answer.  You will find all the files in the /var/log/snort tree.  In that tree there will be a subdirectory for each configured Snort interface.  The name will be a combination of a GUID and the physical interface name (for example, em0 is one if you have an older Intel NIC).

          Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post