[Snort-devel] Snort2 tagging

Sean Wheeler s.wheeler at ...2016...
Thu Jun 5 07:45:08 EDT 2003


Hi,

Is there any documentation besides the source relating to tagging in
snort2.0 ?

I am trying to understand the mechanics behind the referance to the main tag
alert and where event_reference comes into effect there.

My interpretation of what tagging does ( did I get it correct?)
An alert is triggerd based on rule "blah blah", tagging of the next X
packets following from the triggered rule". The tagged packets do not
require that they satisfy the criteria of the rule itself.


Situation :

Snort2 logging to mysql
I would like to display the collection of tagged packets as one event in a
frontend.

When someone clicks on the event it displays the story arc of the tagged
session.

what I have realised:
Presently each tagged packet is given a unique cid in the event table, which
is a good thing as you can refer to it's payload uniquely etc.
If I expand the schema and write the event_reference to the event table
aswell, I notice the following. ( hoping that this would identify which tag
belongs to which alert)


unique alert = event_reference as even number.
following tag packet = event_reference as incremented by 3.
tag end = event_reference increments by 7.
when snort is restarted it begins at 0 value for event_reference

however triggering of simultaneous tagged alerts, makes a whole party out of
the above figuring out ;)


In all honesty I do not understand the tagging mechanics in snort2 in order
to implement my situation mentioned above.
I am looking for documentation regarding the above or any comments from the
"enlightened ones" which would steer me in the correct direction.

Look forward to your responses

Sean
















More information about the Snort-devel mailing list