[Snort-users] Managing tagged packets

nikns nikns at ...13802...
Fri Jun 9 14:32:26 EDT 2006

If you use FLoP with extended db then with BASE you can get:
as long as you don't delete first packet.
Without FLoP extended db or without first packet you can
try to determinate rule that caused this tagged event by
looking on payload ;].

On Fri, Jun 09, 2006 at 02:26:32PM -0400, Humes, David G. wrote:
>As I understand it now, the unified output snort plugin writes stream4
>reassembled packets to the log file as the individual packets that
>caused the alert rather than as stream4 uberpackets.  The first packet
>is associated with the alert, and subsequent packets are logged as
>tagged packets.  The problem is how to manage the tagged packets.  They
>tend to clutter up the database and need to periodically removed.  But,
>you have to be careful not to delete tagged packets associated with
>alerts that you want to keep.  Otherwise you lose part of the payload
>that triggered the alert.  Since we use BASE, I was wondering if the
>BASE team was giving consideration to a way to present tagged packets
>with their associated alerts.  This would give the analyst access to the
>entire payload that triggered the alert and also provide a way to delete
>tagged packets when deleting the associated alerts.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list