> 2. Is there any way to see what exact traffic/pattern triggered the > Snort Alert? I know how to find the rule description that the
> potentially harmful traffic matched, but interested to see the exact > traffic log that triggered the alert. I'd like to have more > information before marking it as a false positive for my environment > and start ignoring or disable some rules. >Snort saves the packets that triggered the alert in pcap format. You can >download these from pfSense and view them with Wireshark. > >From Services > Snort > Alerts tab by Save or Remove Logs, click Download. >John J. Thank you John, but it doesn't seem to work. I can download the archive file, but inside it has Barnyard2 folder with int.waldo files in it and three more files - int.stats, alert and some snort_randomnumber file. none of them seems to be in pcap format and contain the pattern of the traffic that triggered the alert. Best regards, Sergii Cherkashyn _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
