[Snort-sigs] Tagged Packet?
droelker at ...435...
Mon Jul 26 10:57:28 EDT 2004
Tagged packets are generated based on the tag keyword in rules. The
only two rules I see that have tag in them are SID 2251 and 2252. What
this means is that when either of these alerts go off, snort logs the
next 5 packets in that session and calls them "Tagged Packet". "Tagged
Packet" isn't a rule you turn on or off. It is generated by snort. If
you don't want to see the tagged packets, then take out the tag keyword
in these two SIDS.
I believe that these SIDs use tagged packets so the analyst can
determine whether the original alert was a false positive or not. Rules
Team care to comment?
On Mon, 2004-07-26 at 13:34, Jason Alexander wrote:
> I don't know what the answer is but I just started noticing these as
> well. I havn't had time to look into them.
> Rowland, Krisa W ERDC-ITL-MS Contractor wrote:
> > I am getting a large number of alerts for Tagged Packets? There is no
> > Snort sid and I looked through my bleeding.rules and didn't see it there
> > either. Any ideas?
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs