[Snort-devel] logging tagged packets
Hamilton, Brian O.
BOHamilton at ...1551...
Mon Aug 26 13:56:03 EDT 2002
sorry about the lack of detail. hopefully this will help...
i currently have snort logging to a postgres database.
when i configure the tagging option on an alert and there is a hit on that
alert, the hit is correctly logged with sig_id (sid), sig_name (msg), etc.
however, the tagged packets after the original alert are logged with the
next available sig_id and a blank sig_name.
i was just wondering if there are plans to add a way to define the "msg"
parameter for tagged packets.
maybe something like take the msg of an alert ("WEB-MISC directory
traversal") and add "(session)" to the end ("WEB-MISC directory traversal
(session)") as the msg entry for its tagged packets.
From: Chris Green [mailto:cmg at ...402...]
Sent: Monday, August 26, 2002 11:03 AM
To: Hamilton, Brian O.
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] logging tagged packets
"Hamilton, Brian O." <BOHamilton at ...1551...> writes:
> (currently running 1.8)
> are there plans or does 1.9 already address the issue of tagged packets
> being logged with a sid_name?
Logged to what output system? My hunch is no but I don't have any
idea what you are talking about :)
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel