[Snort-users] Question on tags
kjsmith at ...13166...
Sat Mar 26 12:52:08 EST 2005
I finally got snort, barnyard, and mysql working together. For some odd
reason it does not like simply mepis with mysql 4.1. I used Pro mepis
with mysql 4.0.2 and it worked without a problem.
My question is about the tag keyword. I'm a little confused as to how it
works. Say ten packets come over the interface, does it grab all in time
x and log it as 1, but oviously the size is bigger with the payload. Or
does it still log all of them sperataly after the time has expired? Also
in the manual it says that tagged packets are not properly logged in a
database. Is it after a certain amount of time? Or what happens when it
tries to log to a database. My goal is to lower the amount of entries in
the database of traffic that we are looking at, there are about 15,000
packets in 10 minutes. I would like to use the tag option to lower the
amount of entries in the database if that is possible. Or is there a
better way to do that?
Thanks again for everyone's help
More information about the Snort-users