[Snort-users] Tagged Packet ... AAAHHH

Jeff Kell jeff-kell at ...6282...
Sun Oct 30 19:29:59 EST 2005


Joel Esler wrote:
> One of your rules (most likely a bleedingsnort rule) has the keyword  
> "tag" in it.  Look in your rules for the word "tag" and remove the  
> keyword and it's modifiers from the rule body.

Not sure how to do this with other post-processing utilities, but if you're using BASE, you can usually track this down by doing the following to one of the tagged packets in question:

Click on the source address.  Select "source or destination".  Clear the "tagged" alert signature criteria.  Sort the result chronologically.  The signature that contained the triggering "tag" should preceed the tagged packets in the output.  If it doesn't, repeat the same procedure with the destination address.

Jeff




More information about the Snort-users mailing list