[Snort-devel] logging tagged packets

Andrew R. Baker andrewb at ...835...
Mon Aug 26 14:00:06 EDT 2002


Hamilton, Brian O. wrote:
> sorry about the lack of detail.  hopefully this will help...
> 
> i currently have snort logging to a postgres database.
> when i configure the tagging option on an alert and there is a hit on 
> that alert, the hit is correctly logged with sig_id (sid), sig_name 
> (msg), etc.
> 
> however, the tagged packets after the original alert are logged with the 
> next available sig_id and a blank sig_name.
> i was just wondering if there are plans to add a way to define the "msg" 
> parameter for tagged packets.
> maybe something like take the msg of an alert ("WEB-MISC directory 
> traversal") and add "(session)" to the end ("WEB-MISC directory 
> traversal (session)") as the msg entry for its tagged packets.

The current Snort database output plugin and schema does not have any 
mechanisms for supporting tagged packets.  The support requirements go 
beyond just adding something to the msg entry (although that could be 
done without major problems).  Support for tagged packets will be left 
up to Roman (the database plugin and ACID maintainer).  I would not 
expect it in Snort 1.9 however.

-A





More information about the Snort-devel mailing list