Snort mailing list archives
TCP Session logging with ACID
From: <jonasb () alum rpi edu>
Date: Thu, 29 Apr 2004 07:36:15 -0700
Hi - I'm trying to get a feel for the difference between using the stream pre-processor and the TAG: session keywords in a rule. If I want to log every telnet session and view each one as an alert within ACID, would I have to set a rule with content so that the pre-processor picks it up? If I use TAG however, will this generate an alert for each packet tagged? I guess my question is when would you use TAG vs. just relying on the stream preprocessor, and how would a TAGged session appear in ACID? Thanks! B
Current thread:
- TCP Session logging with ACID jonasb (Apr 29)
- Re: TCP Session logging with ACID AJ Butcher, Information Systems and Computing (Apr 30)