[Snort-users] Tagged packets in logs

Grejda, Eric EGrejda at ...10102...
Tue Dec 23 05:46:03 EST 2003

I've been seeing those on our networks as well, only there hasn't been any
payload in those packets.  They were appearing on a Snort v2.0.5 setup using
the latest STABLE rule set which was logging to a MySQL database.  We
haven't been able to pin down what's causing them, either, and would love to
know what's going on.  My working theory has been that it's been a system
duplication application of some sort (we use a few of them around here)
pinging the server that stores its disk images but there's no hard data
backing that theory up.

Eric Grejda

> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at ...3809...] 
> Sent: Tuesday, December 23, 2003 5:22 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Tagged packets in logs
> 	I am getting a trickle of "tagged" packets turning up 
> in ACID.  All these packets have 80 as source port and most 
> have no data, just
> push+ack set.  A few have data and these alway start with a USER
> <username><CRLF>PASS <password> .

More information about the Snort-users mailing list