snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] alert suppression

Re: [Snort-users] alert suppression

From: Joel Esler <jesler_at_nospam>
Date: Wed May 06 2009 - 20:56:39 GMT
To: Greg Bowser <topnotcher@gmail.com>


Check out the README.tag in the doc/ directory of Snort. J

On Wed, May 6, 2009 at 4:48 PM, Greg Bowser <topnotcher@gmail.com> wrote:

> >Yes I am running some of the emerging-threats rules, and grepping for
> “tag:” shows quite a few rules that use it.
> > Is there no way to determine which rule is generating the “tag: tagged
> packet” alert? What is it for exactly?
> Somtimes, it is nice to see the packets that follow the packet that
> triggered an alert. (i.e. the response). The tag keyword accomplishes this.
> Any of the rules you found that have the "tag" keyword will tag packets.
> (exactly which packets and how many is specified in the rule)
> If you look at the traffic with the same src/dst ip pair (in either order)
> before the tagged packets, you should see the rule that started the tagging.
> -- Greg
>
>
>
>
-- joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974 | http://twitter.com/joelesler

------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users