[Snort-users] Re: [Snort-sigs] Anyone tried tagging?

Michael Boman michael at ...3137...
Tue Sep 10 01:55:02 EDT 2002


At 08:17 PM 9/9/2002 -0700, you wrote:
>Hi,
>
>     adding tag to the below rule doesn't make a
>difference to the alerts logged in my database. How
>can I know if it is working?
>
>alert icmp $EXTERNAL_NET any -> $HOME_NET any
>(msg:"ICMP PING Windows"; content: "|61 62 63 64 65 66
>67 68 69 6A 6B 6C 6D 6E 6F 70|"; tag:
>host,200,packets,src; itype: 8; depth: 16;
>reference:arachnids,169; sid:382;
>classtype:misc-activity; rev:4;)
>
>Thanks

Tagging puts the tagged packets in the 'log' facility, so you need to put 
your database in the 'log' facility as well.

Example:
output database: log, mysql, dbname=snort user=snort host=localhost 
password=xyz
                          ^^^^

The only bad thing about that is that in the old (current) portscan 
(spp_portscan) detector only injects packets into 'alert' facility and they 
never move to the 'log' facility. I personally solved that by putting 
syslog logging on 'alert', and database on 'log'.

Best regards
  Michael Boman

--
Michael Boman
Student, Husband, Geek. Not necessary in that order thought.






More information about the Snort-users mailing list