Snort mailing list archives
Re: Problem with session tagging - multiple alerts in session
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 6 Apr 2016 09:55:44 +0000
Hello, If you use the rules you have below it probably doesn’t work because you are using the SAME sid number over and only ONE rule is matching. Try changing the SID numbers to unique ones first and see if that helps. Thanks! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Amir Kravitz [mailto:amirkravitz () gmx com] Sent: Wednesday, April 06, 2016 2:41 AM To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] Problem with session tagging - multiple alerts in session Hi, I'm trying to post again after my last attempt came out as a http source.. I'm new to snort. I'm trying to use tag:session to log all the packet in the sesssion. I found out that not all the packets in the session were logged as part of the session. When other packets in the tagged session generated new alerts, they were logged with an event-id of the new alert (they just genereted) and not with the tagged session event-id. How can I identify all the packets in the session (even if some of them generated other alert) ? I'm using the rules: alert tcp any any -> any any ( content:"AAA" ; sid:10000001; tag:session,10,seconds; ) alert tcp any any -> any any ( content:"BBB" ; sid:10000001; ) Thanks, Amir
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Problem with session tagging - multiple alerts in session Amir Kravitz (Apr 05)
- <Possible follow-ups>
- Problem with session tagging - multiple alerts in session Amir Kravitz (Apr 05)
- Re: Problem with session tagging - multiple alerts in session Al Lewis (allewi) (Apr 06)
- Re: Problem with session tagging - multiple alerts in session Amir Kravitz (Apr 10)
- Re: Problem with session tagging - multiple alerts in session Al Lewis (allewi) (Apr 11)
- Re: Problem with session tagging - multiple alerts in session Al Lewis (allewi) (Apr 06)