[Snort-users] Re: [Snort-sigs] Anyone tried tagging?
michael at ...3137...
Tue Sep 10 01:55:02 EDT 2002
At 08:17 PM 9/9/2002 -0700, you wrote:
> adding tag to the below rule doesn't make a
>difference to the alerts logged in my database. How
>can I know if it is working?
>alert icmp $EXTERNAL_NET any -> $HOME_NET any
>(msg:"ICMP PING Windows"; content: "|61 62 63 64 65 66
>67 68 69 6A 6B 6C 6D 6E 6F 70|"; tag:
>host,200,packets,src; itype: 8; depth: 16;
Tagging puts the tagged packets in the 'log' facility, so you need to put
your database in the 'log' facility as well.
output database: log, mysql, dbname=snort user=snort host=localhost
The only bad thing about that is that in the old (current) portscan
(spp_portscan) detector only injects packets into 'alert' facility and they
never move to the 'log' facility. I personally solved that by putting
syslog logging on 'alert', and database on 'log'.
Student, Husband, Geek. Not necessary in that order thought.
More information about the Snort-users