Home page logo
/

snort logo Snort mailing list archives

Re: Tagged packets alerts
From: Kungu Panda <kungupanda () gmail com>
Date: Tue, 14 Dec 2010 14:22:54 +0000

Thank you Joe.

Is there a way to turn this behavior off such that tagged alerts are not
being generated under-the-hood by a preprocessor (if I understood correctly)
?

K.Panda

On Tue, Dec 14, 2010 at 1:05 PM, Joel Esler <jesler () sourcefire com> wrote:

Getting an alert on a "tagged" packet with a rule without "tag" as an
option means that your rule is firing on a stream reassembled packet. (as
opposed to a single packet)


Sent from my iPhone

On Dec 14, 2010, at 7:30 AM, Kungu Panda <kungupanda () gmail com> wrote:

I am getting tagged packets alerts for rules that *do not* include the
'tag' directive such as on sid:16313.

Also am getting tagged packets alerts for so_rules like sid:13824.  I
understand why this could be occurring -- the compiled so_rule including the
'tag' directive and is not something that can be manipulated.

I would really like to disable tagged packets alerts in their entirety;
don't need them since we perform full packet captures to disc.  Already
performing a global search and replace on all non-so_rules that come with
'tag' to eliminate the tag directive.

Background:
   snort v2.8.6.3, outputting to log_unified, alert_unified, barnyard to
BASE.

Any thoughts or ideas?
K.Panda


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault