Re: tag: Tagged Packet

[Dirk Geschke <dirk () geschke-online de>]

Hi,

> Correct me if I am wrong, but I think if stream4 reassembles a stream
> and triggers a rule, all the packets in the stream will get dumped
> individually as tagged packets.
>
> This may be why you are still seeing them.  I don't know how to
> disable that (this doesn't mean there isn't a way) short of turning
> off stream4 preprocessor, which isn't something you want to do.

yes and no... The unified output plugin saves the packets 
individually and marks them as tagged packets. The other output
plugins won't do this.

One prolem I see with this approach is that only the first
logged packet mentions the real matched signature rule. But
this is not necessarily the packet witch contains the alerting
content...

Best regards

Dirk


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users