[Snort-users] TCP Session logging with ACID

jonasb at ...7872... jonasb at ...7872...
Thu Apr 29 07:42:08 EDT 2004


Hi -

I'm trying to get a feel for the difference between using the stream
pre-processor and the TAG: session keywords in a rule. 
If I want to log every telnet session and view each one as an alert
within ACID, would I have to set a rule with content so that the
pre-processor picks it up?
If I use TAG however, will this generate an alert for each packet
tagged?

I guess my question is when would you use TAG vs. just relying on the
stream preprocessor, and how would a TAGged session appear in ACID?

Thanks!
B 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040429/71415ad6/attachment.html>


More information about the Snort-users mailing list