snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] alert suppression

Re: [Snort-users] alert suppression

From: Joel Esler <jesler_at_nospam>
Date: Wed May 06 2009 - 20:56:39 GMT
To: Greg Bowser <>

Check out the README.tag in the doc/ directory of Snort. J

On Wed, May 6, 2009 at 4:48 PM, Greg Bowser <> wrote:

> >Yes I am running some of the emerging-threats rules, and grepping for
> “tag:” shows quite a few rules that use it.
> > Is there no way to determine which rule is generating the “tag: tagged
> packet” alert? What is it for exactly?
> Somtimes, it is nice to see the packets that follow the packet that
> triggered an alert. (i.e. the response). The tag keyword accomplishes this.
> Any of the rules you found that have the "tag" keyword will tag packets.
> (exactly which packets and how many is specified in the rule)
> If you look at the traffic with the same src/dst ip pair (in either order)
> before the tagged packets, you should see the rule that started the tagging.
> -- Greg
-- joel esler | Sourcefire | gtalk: | 302-223-5974 |

------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled.

_______________________________________________ Snort-users mailing list Go to this URL to change user options or unsubscribe: Snort-users list archive: