[Snort-users] Hard choice: Preprocessor or Tagging

Chris Green cmg at ...1935...
Mon Sep 2 08:55:34 EDT 2002


[ please obey Reply-to: ]


Michael Boman <michael.boman at ...4162...> writes:

>> Which preprocessor?  The only ones that only call alerts are things
>> like portscans to my knowledge.

We could log the packet as well, it doesn't make a lot of sense out of
context but it is doable.

> Yupp. Portscan is the one.. Don't run SPADE and don't see so much stream4 
> activity anyway so I wouldn't know.
>
> Is there any way to get tagged packets to have a signature name like 'tagged 
> packet' or something?

I don't know about the database output plugin.   They are meant to be
logged based off the event id that triggered them.  

>
> PS:
>  I've hacked the sourcecode of spo_database.c so it ignores the BFP part. It's 
> an easy hack but if anyone wants a diff file please let me know.
> DS

Make it a option in the output line and I'll include it.
-- 
Chris Green <cmg at ...1935...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-users mailing list