[Snort-users] Re: [Snort-sigs] Anyone tried tagging?

Michael Boman michael at ...3137...
Tue Sep 10 01:55:02 EDT 2002

At 08:17 PM 9/9/2002 -0700, you wrote:
>     adding tag to the below rule doesn't make a
>difference to the alerts logged in my database. How
>can I know if it is working?
>alert icmp $EXTERNAL_NET any -> $HOME_NET any
>(msg:"ICMP PING Windows"; content: "|61 62 63 64 65 66
>67 68 69 6A 6B 6C 6D 6E 6F 70|"; tag:
>host,200,packets,src; itype: 8; depth: 16;
>reference:arachnids,169; sid:382;
>classtype:misc-activity; rev:4;)

Tagging puts the tagged packets in the 'log' facility, so you need to put 
your database in the 'log' facility as well.

output database: log, mysql, dbname=snort user=snort host=localhost 

The only bad thing about that is that in the old (current) portscan 
(spp_portscan) detector only injects packets into 'alert' facility and they 
never move to the 'log' facility. I personally solved that by putting 
syslog logging on 'alert', and database on 'log'.

Best regards
  Michael Boman

Michael Boman
Student, Husband, Geek. Not necessary in that order thought.

More information about the Snort-users mailing list