Snort mailing list archives

Re: How to see output snort rule TAG option?

From: James Dickenson <jdickenson () gmail com>
Date: Tue, 31 Jul 2012 19:05:24 -0700

It depends on what outputs you have configured in your snort.conf.  If
using barnyard it will be in the unified file and you will have to use
u2boat to convert it into pcap form.  If just testing what I typically
do is turn on the pcap output you can do this in barnyard or have
snort output directly (though this can affect performance).  Something
like this should work and will output to your specified output folder
in the snort.conf or as a flag at runtime.

 output log_tcpdump: tcpdump.log

Hope that helps!

-James Dickenson

On Tue, Jul 31, 2012 at 1:23 PM, Tran M. Thang <tmthang () vncert vn> wrote:

Hi Snort Users

Any one can tell me where i can see output snort rule tag option such as:

alert tcp 192.168.1.16 any  -> 13.28.172.17 80 (msg:" test tag seesion"; tag:host,10,packets,src; sid:1310730;rev:1;)

Thanks

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

How to see output snort rule TAG option? Tran M. Thang (Jul 31)
- Re: How to see output snort rule TAG option? James Dickenson (Aug 01)