[Snort-users] Question on tags

Kevin Smith kjsmith at ...13166...
Sat Mar 26 12:52:08 EST 2005


Hey everyone,

I finally got snort, barnyard, and mysql working together. For some odd 
reason it does not like simply mepis with mysql 4.1. I used Pro mepis 
with mysql 4.0.2 and it worked without a problem.

My question is about the tag keyword. I'm a little confused as to how it 
works. Say ten packets come over the interface, does it grab all in time 
x and log it as 1, but oviously the size is bigger with the payload. Or 
does it still log all of them sperataly after the time has expired? Also 
in the manual it says that tagged packets are not properly logged in a 
database. Is it after a certain amount of time? Or what happens when it 
tries to log to a database. My goal is to lower the amount of entries in 
the database of traffic that we are looking at, there are about 15,000 
packets in 10 minutes. I would like to use the tag option to lower the 
amount of entries in the database if that is possible. Or is there a 
better way to do that?

Thanks again for everyone's help
Kevin




More information about the Snort-users mailing list