[Snort-users] Managing tagged packets

nikns nikns at ...13802...
Fri Jun 9 14:32:26 EDT 2006


If you use FLoP with extended db then with BASE you can get:
http://secure.lv/~nikns/stuff/base_tagged_packet.jpg
as long as you don't delete first packet.
Without FLoP extended db or without first packet you can
try to determinate rule that caused this tagged event by
looking on payload ;].

On Fri, Jun 09, 2006 at 02:26:32PM -0400, Humes, David G. wrote:
>As I understand it now, the unified output snort plugin writes stream4
>reassembled packets to the log file as the individual packets that
>caused the alert rather than as stream4 uberpackets.  The first packet
>is associated with the alert, and subsequent packets are logged as
>tagged packets.  The problem is how to manage the tagged packets.  They
>tend to clutter up the database and need to periodically removed.  But,
>you have to be careful not to delete tagged packets associated with
>alerts that you want to keep.  Otherwise you lose part of the payload
>that triggered the alert.  Since we use BASE, I was wondering if the
>BASE team was giving consideration to a way to present tagged packets
>with their associated alerts.  This would give the analyst access to the
>entire payload that triggered the alert and also provide a way to delete
>tagged packets when deleting the associated alerts.
>
>--Dave
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list