[Snort-devel] New entry in Signature table for tagged packets

Frank Knobbe frank at ...2134...
Fri Nov 26 08:00:09 EST 2004


On Fri, 2004-11-26 at 03:09, Dirk Geschke wrote:
> > As a follow-up, it appears that the "parent" signature that caused the
> > tag is also entered multiple times.
> 
> I don't think so. I guess you see them twice, one for the alert
> chain and one for the log chain. Tagged packets are only reported
> to the log facility not the alert facility.

Uhm... no. It's actually three entries for one tagged event. It does not
have anything to do with log or alert. The database output is set to
log.

I had two entries in the event table for one event which is normal for
that sensor (damn load-balancer causes packets with internal and
external address to fly by the sensor). Each one of these caused three
the exact same entries in the signature table (so a total of six). 
However, I have only two entries in the event table, one for each valid
event. The other 4 sig_id's in the signature table are not even
referenced in the event table!

That was for the sig. On top of that are 654 entries in the signature
table for that event labeled as "Tagged Packet" with identical data
(except the sig_id of course).

I can live with first fluke (unreferenced signatures), but creating an
entry in the signature table for each tagged packets seems a bit ...
uhm... excessive.

I hope that made it a bit clearer. If not, I can print database dumps if
required.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20041126/094e1376/attachment.sig>


More information about the Snort-devel mailing list