Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] Anyone tried tagging?

From: Michael Boman <michael () ayeka dyndns org>
Date: Tue, 10 Sep 2002 16:54:10 +0800
At 08:17 PM 9/9/2002 -0700, you wrote:

Hi,

    adding tag to the below rule doesn't make a
difference to the alerts logged in my database. How
can I know if it is working?

alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP PING Windows"; content: "|61 62 63 64 65 66
67 68 69 6A 6B 6C 6D 6E 6F 70|"; tag:
host,200,packets,src; itype: 8; depth: 16;
reference:arachnids,169; sid:382;
classtype:misc-activity; rev:4;)

Thanks
Tagging puts the tagged packets in the 'log' facility, so you need to put your database in the 'log' facility as well. 

Example:
output database: log, mysql, dbname=snort user=snort host=localhost password=xyz 
                         ^^^^
The only bad thing about that is that in the old (current) portscan (spp_portscan) detector only injects packets into 'alert' facility and they never move to the 'log' facility. I personally solved that by putting syslog logging on 'alert', and database on 'log'. 

Best regards
 Michael Boman

--
Michael Boman
Student, Husband, Geek. Not necessary in that order thought.




-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: