Snort mailing list archives
Re: Tagged packets alerts
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 14 Dec 2010 08:05:10 -0500
Getting an alert on a "tagged" packet with a rule without "tag" as an option means that your rule is firing on a stream reassembled packet. (as opposed to a single packet) Sent from my iPhone On Dec 14, 2010, at 7:30 AM, Kungu Panda <kungupanda () gmail com> wrote:
I am getting tagged packets alerts for rules that *do not* include the 'tag' directive such as on sid:16313. Also am getting tagged packets alerts for so_rules like sid:13824. I understand why this could be occurring -- the compiled so_rule including the 'tag' directive and is not something that can be manipulated. I would really like to disable tagged packets alerts in their entirety; don't need them since we perform full packet captures to disc. Already performing a global search and replace on all non-so_rules that come with 'tag' to eliminate the tag directive. Background: snort v2.8.6.3, outputting to log_unified, alert_unified, barnyard to BASE. Any thoughts or ideas? K.Panda ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tagged packets alerts Kungu Panda (Dec 14)
- Re: Tagged packets alerts Joel Esler (Dec 14)
- Re: Tagged packets alerts Kungu Panda (Dec 14)
- Re: Tagged packets alerts Joel Esler (Dec 14)