Re: alert suppression

[Joel Esler <jesler () sourcefire com>]

Check out the README.tag in the doc/ directory of Snort.
J

On Wed, May 6, 2009 at 4:48 PM, Greg Bowser <topnotcher () gmail com> wrote:

> > Yes I am running some of the emerging-threats rules, and grepping for
> “tag:” shows quite a few rules that use it.
> > Is there no way to determine which rule is generating the “tag: tagged
> packet” alert? What is it for exactly?
> Somtimes, it is nice to see the packets that follow the packet that
> triggered an alert. (i.e. the response).  The tag keyword accomplishes this.
>  Any of the rules you found that have the "tag" keyword will tag packets.
> (exactly which packets and how many is specified in the rule)
> If you look at the traffic with the same src/dst ip pair (in either order)
> before the tagged packets, you should see the rule that started the tagging.
> -- Greg


-- 
joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 |
http://twitter.com/joelesler

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users