[Snort-devel] New entry in Signature table for tagged packets
frank at ...2134...
Fri Nov 26 08:06:04 EST 2004
On Thu, 2004-11-25 at 21:07, Russell Fulton wrote:
> AH! Thanks for bringing this up Frank! I've been meaning to ask how one
> links the tagged packets back to the alert that triggered their
> capture. In most cases it is obvious but there have been times when I
> have been left with no idea why the packets have been captured.
we use a dual-alerting system (one being database independent). The
other mechanism we use automatically groups the events by IP, so the
tagged packets are always in the same *cough*email*cough* as the
triggering sig. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel