[Snort-sigs] Tagged Packet?

Esler, Joel - Contractor joel.esler at ...783...
Mon Jul 26 11:23:10 EDT 2004


"Tagged Packet" is in indication that a rule written with a "tag:" in it
has flagged.  (see snort documentation for more information on tagging)
however, my suggestion is to see what signature directly precedes the
"Tagged Packet" signature in your alert file then you wil be able to
tell what alert made it tag.  

Incidentally, This is most beneficial when you have binary logging
turned on.

Joel

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Daniel
Roelker
Sent: Monday, July 26, 2004 1:50 PM
To: Jason Alexander
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Tagged Packet?


Tagged packets are generated based on the tag keyword in rules.  The
only two rules I see that have tag in them are SID 2251 and 2252.  What
this means is that when either of these alerts go off, snort logs the
next 5 packets in that session and calls them "Tagged Packet".  "Tagged
Packet" isn't a rule you turn on or off.  It is generated by snort.  If
you don't want to see the tagged packets, then take out the tag keyword
in these two SIDS.

I believe that these SIDs use tagged packets so the analyst can
determine whether the original alert was a false positive or not.  Rules
Team care to comment?

Dan

On Mon, 2004-07-26 at 13:34, Jason Alexander wrote:
> I don't know what the answer is but I just started noticing these as
> well.  I havn't had time to look into them.
> 
> Jason
> 
> 
> Rowland, Krisa W ERDC-ITL-MS Contractor wrote:
> >  
> > I am getting a large number of alerts for Tagged Packets?  There is 
> > no
> > Snort sid and I looked through my bleeding.rules and didn't see it
there 
> > either.  Any ideas?
> > 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today. 
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list