|Main Archive Page > Month Archives > snort-users archives|
>Yes I am running some of the emerging-threats rules, and grepping for
“tag:” shows quite a few rules that use it.
> Is there no way to determine which rule is generating the “tag: tagged
packet” alert? What is it for exactly?
Somtimes, it is nice to see the packets that follow the packet that triggered an alert. (i.e. the response). The tag keyword accomplishes this. Any of the rules you found that have the "tag" keyword will tag packets. (exactly which packets and how many is specified in the rule) If you look at the traffic with the same src/dst ip pair (in either order) before the tagged packets, you should see the rule that started the tagging. -- Greg