[Snort-devel] Meaning of GENERATOR_TAG and TAG_LOG_PKT

Nitram Eppank schokoladenriese at ...3036...
Fri Mar 25 09:07:46 EDT 2011


The spo_unified output plugin makes use of generator id GENERATOR_TAG and
signature id TAG_LOG_PKT when processing a rebuilt packet.
Comments in the spo_unified2 output plugin suggest this is bad and must not
be done. Why was this done in spo_unified; what was/is the meaning of
GENERATOR_TAG and TAG_LOG_PKT? I understand segments after the first segment
are written away as events with this generator; but where is this processed?
It looks to me like barnyard for example doesn't handle this case in any
special way. In my database I don't have a single event with this generator
so it seems this code fragment has not been executed, even though I have
stream5 enabled. Can someone shed some light on that??
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110325/c3c7728e/attachment.html>


More information about the Snort-devel mailing list