[Snort-devel] New entry in Signature table for tagged packets

Russell Fulton r.fulton at ...1343...
Thu Nov 25 19:08:09 EST 2004

On Fri, 2004-11-26 at 11:00, Frank Knobbe wrote:

> I can't see any reason for this so I assume it's a bug. My guess is that
> it is caused by the section in spo_database that checks if the sid is
> >0. I'm unsure how to fix that though. I would recommend to enclose that
> whole block in a branch that first checks if it is a valid sig or tagged
> packet and then handles tagged packets like an existing sig.... in
> essence using the existing sig_id in the db instead of creating a new
> one.

AH! Thanks for bringing this up Frank! I've been meaning to ask how one
links the tagged packets back to the alert that triggered their
capture.  In most cases it is obvious but there have been times when I
have been left with no idea why the packets have been captured.

> Happy Thanksgiving!

Amen to all you folks in the US.

> Frank  (time-to-turkey: <2 hrs)

My sympathy is with the turkeys!  :)  but you may as well enjoy them

Russell Fulton, Information Security Officer, The University of Auckland
New Zealand

More information about the Snort-devel mailing list