[Snort-users] alert suppression
jesler at ...1935...
Wed May 6 16:56:39 EDT 2009
Check out the README.tag in the doc/ directory of Snort.
On Wed, May 6, 2009 at 4:48 PM, Greg Bowser <topnotcher at ...11827...> wrote:
> >Yes I am running some of the emerging-threats rules, and grepping for
> “tag:” shows quite a few rules that use it.
> > Is there no way to determine which rule is generating the “tag: tagged
> packet” alert? What is it for exactly?
> Somtimes, it is nice to see the packets that follow the packet that
> triggered an alert. (i.e. the response). The tag keyword accomplishes this.
> Any of the rules you found that have the "tag" keyword will tag packets.
> (exactly which packets and how many is specified in the rule)
> If you look at the traffic with the same src/dst ip pair (in either order)
> before the tagged packets, you should see the rule that started the tagging.
> -- Greg
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974 |
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users