[Snort-users] Tagged packets in logs

Russell Fulton r.fulton at ...3809...
Tue Dec 23 02:25:04 EST 2003

	I am getting a trickle of "tagged" packets turning up in ACID.  All
these packets have 80 as source port and most have no data, just
push+ack set.  A few have data and these alway start with a USER
<username><CRLF>PASS <password> .

I am using 2.0.4 with latest stable ruleset.  So far as I can tell there
are only two rules that currently use the tag option and neither target
port 80.  

Any idea what is going on?

BTW I'm using unified logging and mudpit to log to a mysql database.

Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!

More information about the Snort-users mailing list