[Snort-users] Managing tagged packets
nikns at ...13802...
Fri Jun 9 14:32:26 EDT 2006
If you use FLoP with extended db then with BASE you can get:
as long as you don't delete first packet.
Without FLoP extended db or without first packet you can
try to determinate rule that caused this tagged event by
looking on payload ;].
On Fri, Jun 09, 2006 at 02:26:32PM -0400, Humes, David G. wrote:
>As I understand it now, the unified output snort plugin writes stream4
>reassembled packets to the log file as the individual packets that
>caused the alert rather than as stream4 uberpackets. The first packet
>is associated with the alert, and subsequent packets are logged as
>tagged packets. The problem is how to manage the tagged packets. They
>tend to clutter up the database and need to periodically removed. But,
>you have to be careful not to delete tagged packets associated with
>alerts that you want to keep. Otherwise you lose part of the payload
>that triggered the alert. Since we use BASE, I was wondering if the
>BASE team was giving consideration to a way to present tagged packets
>with their associated alerts. This would give the analyst access to the
>entire payload that triggered the alert and also provide a way to delete
>tagged packets when deleting the associated alerts.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users