[Snort-users] Can't suppress Tagged Packet

Rob Ward rob.ward at ...11329...
Fri May 26 06:37:03 EDT 2006


--On 26 May 2006 13:37 +0200 Dirk Geschke <dirk at ...10648...> wrote:

> is it possible that you use the unified output plugin?
>
> In this case all rebuild packets from stream4 which raise an alert
> are stored as the original individual packets. The first is associated
> with the alert message and all further parts are labeled as "Tagged
> Packet".
>
> So in this case it will not help to suppress it this way. I fear
> you have to tune your rules to reduce the number of alerts. (Or
> you can use another output method, AFAIK only the unified output
> plugin decomposes the rebuild packet with "Tagged Packets".)

Hi Dirk, I'm not using the unified output plugin.

Regards

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department




More information about the Snort-users mailing list