[Snort-users] alert suppression

Joel Esler jesler at ...1935...
Wed May 6 16:56:39 EDT 2009

Check out the README.tag in the doc/ directory of Snort.

On Wed, May 6, 2009 at 4:48 PM, Greg Bowser <topnotcher at ...11827...> wrote:

> >Yes I am running some of the emerging-threats rules, and grepping for
> “tag:” shows quite a few rules that use it.
> > Is there no way to determine which rule is generating the “tag: tagged
> packet” alert? What is it for exactly?
> Somtimes, it is nice to see the packets that follow the packet that
> triggered an alert. (i.e. the response).  The tag keyword accomplishes this.
>  Any of the rules you found that have the "tag" keyword will tag packets.
> (exactly which packets and how many is specified in the rule)
> If you look at the traffic with the same src/dst ip pair (in either order)
> before the tagged packets, you should see the rule that started the tagging.
> -- Greg

joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974 |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090506/fcb65932/attachment.html>

More information about the Snort-users mailing list