[Snort-sigs] Problem with session tagging - multiple alerts in session

Al Lewis (allewi) allewi at ...3865...
Wed Apr 6 05:55:44 EDT 2016


Hello,

If you use the rules you have below it probably doesn’t work because you are using the SAME sid number over and only ONE rule is matching.

Try changing the SID numbers to unique ones first and see if that helps.

Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...

From: Amir Kravitz [mailto:amirkravitz at ...4143...]
Sent: Wednesday, April 06, 2016 2:41 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Problem with session tagging - multiple alerts in session

Hi,

I'm trying to post again after my last attempt came out as a http source..

I'm new to snort.
I'm trying to use tag:session to log all the packet in the sesssion.
I found out that not all the packets in the session were logged as part of the session.
When other packets in the tagged session generated new alerts, they were logged with an event-id of the new alert (they just genereted) and not with the tagged session event-id.
How can I identify all the packets in the session (even if some of them generated other alert) ?

I'm using the rules:
alert tcp any any -> any any ( content:"AAA" ; sid:10000001; tag:session,10,seconds; )
alert tcp any any -> any any ( content:"BBB" ; sid:10000001; )

Thanks,
Amir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160406/fc23e683/attachment.html>


More information about the Snort-sigs mailing list