Re: Problem with session tagging - multiple alerts in session

["Al Lewis (allewi)" <allewi () cisco com>]

Hello,

If you use the rules you have below it probably doesn’t work because you are using the SAME sid number over and only 
ONE rule is matching.

Try changing the SID numbers to unique ones first and see if that helps.

Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Amir Kravitz [mailto:amirkravitz () gmx com]
Sent: Wednesday, April 06, 2016 2:41 AM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] Problem with session tagging - multiple alerts in session

Hi,

I'm trying to post again after my last attempt came out as a http source..

I'm new to snort.
I'm trying to use tag:session to log all the packet in the sesssion.
I found out that not all the packets in the session were logged as part of the session.
When other packets in the tagged session generated new alerts, they were logged with an event-id of the new alert (they 
just genereted) and not with the tagged session event-id.
How can I identify all the packets in the session (even if some of them generated other alert) ?

I'm using the rules:
alert tcp any any -> any any ( content:"AAA" ; sid:10000001; tag:session,10,seconds; )
alert tcp any any -> any any ( content:"BBB" ; sid:10000001; )

Thanks,
Amir

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!