Allow me to field a question

["Slighter, Tim" <tslighter () itc nrcs usda gov>]

In respect to either activate/dynamic and/or tag.  Let's say that I have
specified "tag: host, 300, packets, src;" on many of the rules.  Since snort
is running in such a manner that it is only sending output to the MySQL
database..no alert file.  Under these circumstances, where are the 300
packet capture files going to end up and is it possible to view these on the
ACID console?  My guess is that for each "tagged" session, a separate
directory is created in /var/log/snort with a corresponding IP and in each
of those directories are the "tagged" sessions.  If this is true, is this
data available in the ACID console? and if not is there a way to make it so?