Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tagged Packet ... AAAHHH

From: Jeff Kell <jeff-kell () utc edu>
Date: Sun, 30 Oct 2005 22:28:59 -0500
Joel Esler wrote:
One of your rules (most likely a bleedingsnort rule) has the keyword "tag" in it. Look in your rules for the word "tag" and remove the keyword and it's modifiers from the rule body. 

Not sure how to do this with other post-processing utilities, but if you're using BASE, you can usually track this down 
by doing the following to one of the tagged packets in question:

Click on the source address.  Select "source or destination".  Clear the "tagged" alert signature criteria.  Sort the result 
chronologically.  The signature that contained the triggering "tag" should preceed the tagged packets in the output.  If it doesn't, repeat 
the same procedure with the destination address.

Jeff


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: