Snort mailing list archives
Re: Tag Feature question
From: Josh Blender <jsblists () gmail com>
Date: Wed, 2 Mar 2011 11:01:14 -0500
Thank you. I think I actually figured this out, though. It seems that the tag option only works with the "alert" action and does not function at all with the "log" type. I suppose this may have something to do with my default output device being a mysql log, which is specifically said to not function with "tag", but I'm not quite sure. In any case, I have it doing what I need now. Thanks. On Wed, Mar 2, 2011 at 7:47 AM, Edward Fjellskål <edwardfjellskaal () gmail com
wrote:
I published a blog post about the tag option: http://www.gamelinux.org/?p=329 "Packetcapture with Snort using the “tag” option" Hope this might give you an idea on how to turn your snort into a pcap device ;) E On Tue, Mar 1, 2011 at 5:33 PM, Josh Blender <jsblists () gmail com> wrote:Hi, I'm a pretty new Snort user and I'm trying to get the "tag:" featuretowork so that I can capture the entire connection once a packet triggers a rule. Unfortunately, I've tested this in several ways, and I simply can't getthistag feature to work. In local.rules, I have: tagtest tcp any any -> {ip address} 80 (content:"/{url}"; tag:host,5,packets,src; sid:100002; rev:1) and I have a dedicated log file for catching this rule: ruletype tagtest { type log output log_tcpdump: tagtest.log } I've also tried using "tag:session,10,seconds" and various output methods (not database, as I understand that does not work properly). No matter what I do, I can not get Snort to log more than the firstpacket.The rule works perfectly - it triggers on traffic that I want it totriggeron, and it writes to the log files perfectly, but it just will NOT log anything more than 1 packet no matter what I do. Are there anypreprocessordirectives that are required to let tagging work? Anything else I mightbemissing that might prevent this from working? Thank you, Josh B------------------------------------------------------------------------------Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Edward Bjarte Fjellskål Senior Security Analyst http://www.gamelinux.org/
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tag Feature question Josh Blender (Mar 01)
- Re: Tag Feature question Edward Fjellskål (Mar 02)
- Re: Tag Feature question Josh Blender (Mar 02)
- Re: Tag Feature question Martin Holste (Mar 02)
- Re: Tag Feature question Josh Blender (Mar 02)
- Re: Tag Feature question Edward Fjellskål (Mar 02)