[Snort-users] alert suppression

Greg Bowser topnotcher at ...11827...
Wed May 6 16:48:33 EDT 2009


>Yes I am running some of the emerging-threats rules, and grepping for
“tag:” shows quite a few rules that use it.
> Is there no way to determine which rule is generating the “tag: tagged
packet” alert? What is it for exactly?
Somtimes, it is nice to see the packets that follow the packet that
triggered an alert. (i.e. the response).  The tag keyword accomplishes this.
 Any of the rules you found that have the "tag" keyword will tag packets.
(exactly which packets and how many is specified in the rule)
If you look at the traffic with the same src/dst ip pair (in either order)
before the tagged packets, you should see the rule that started the tagging.
-- Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090506/ccce6b7e/attachment.html>


More information about the Snort-users mailing list