[Snort-devel] logging tagged packets

Hamilton, Brian O. BOHamilton at ...1551...
Mon Aug 26 13:56:03 EDT 2002


sorry about the lack of detail.  hopefully this will help...

i currently have snort logging to a postgres database.
when i configure the tagging option on an alert and there is a hit on that
alert, the hit is correctly logged with sig_id (sid), sig_name (msg), etc.
however, the tagged packets after the original alert are logged with the
next available sig_id and a blank sig_name.
i was just wondering if there are plans to add a way to define the "msg"
parameter for tagged packets.
maybe something like take the msg of an alert ("WEB-MISC directory
traversal") and add "(session)" to the end ("WEB-MISC directory traversal
(session)") as the msg entry for its tagged packets.

thanks,

-brian

-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Monday, August 26, 2002 11:03 AM
To: Hamilton, Brian O.
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] logging tagged packets


"Hamilton, Brian O." <BOHamilton at ...1551...> writes:

> (currently running 1.8)
>
> are there plans or does 1.9 already address the issue of tagged packets
not
> being logged with a sid_name?

Logged to what output system?  My hunch is no but I don't have any
idea what you are talking about :)

>
> -brian

-- 
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020826/67bbeba1/attachment.html>


More information about the Snort-devel mailing list