[Snort-sigs] Tagged Packet?

Daniel Roelker droelker at ...435...
Mon Jul 26 10:57:28 EDT 2004

Tagged packets are generated based on the tag keyword in rules.  The
only two rules I see that have tag in them are SID 2251 and 2252.  What
this means is that when either of these alerts go off, snort logs the
next 5 packets in that session and calls them "Tagged Packet".  "Tagged
Packet" isn't a rule you turn on or off.  It is generated by snort.  If
you don't want to see the tagged packets, then take out the tag keyword
in these two SIDS.

I believe that these SIDs use tagged packets so the analyst can
determine whether the original alert was a false positive or not.  Rules
Team care to comment?


On Mon, 2004-07-26 at 13:34, Jason Alexander wrote:
> I don't know what the answer is but I just started noticing these as 
> well.  I havn't had time to look into them.
> Jason
> Rowland, Krisa W ERDC-ITL-MS Contractor wrote:
> >  
> > I am getting a large number of alerts for Tagged Packets?  There is no 
> > Snort sid and I looked through my bleeding.rules and didn't see it there 
> > either.  Any ideas?
> > 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
Daniel Roelker
Software Developer
Sourcefire, Inc.

More information about the Snort-sigs mailing list