[Snort-devel] logging tagged packets
Andrew R. Baker
andrewb at ...835...
Mon Aug 26 14:00:06 EDT 2002
Hamilton, Brian O. wrote:
> sorry about the lack of detail. hopefully this will help...
> i currently have snort logging to a postgres database.
> when i configure the tagging option on an alert and there is a hit on
> that alert, the hit is correctly logged with sig_id (sid), sig_name
> (msg), etc.
> however, the tagged packets after the original alert are logged with the
> next available sig_id and a blank sig_name.
> i was just wondering if there are plans to add a way to define the "msg"
> parameter for tagged packets.
> maybe something like take the msg of an alert ("WEB-MISC directory
> traversal") and add "(session)" to the end ("WEB-MISC directory
> traversal (session)") as the msg entry for its tagged packets.
The current Snort database output plugin and schema does not have any
mechanisms for supporting tagged packets. The support requirements go
beyond just adding something to the msg entry (although that could be
done without major problems). Support for tagged packets will be left
up to Roman (the database plugin and ACID maintainer). I would not
expect it in Snort 1.9 however.
More information about the Snort-devel