Snort mailing list archives
Re: Tagged Packet ... AAAHHH
From: Jeff Kell <jeff-kell () utc edu>
Date: Sun, 30 Oct 2005 22:28:59 -0500
Joel Esler wrote:
One of your rules (most likely a bleedingsnort rule) has the keyword "tag" in it. Look in your rules for the word "tag" and remove the keyword and it's modifiers from the rule body.
Not sure how to do this with other post-processing utilities, but if you're using BASE, you can usually track this down by doing the following to one of the tagged packets in question: Click on the source address. Select "source or destination". Clear the "tagged" alert signature criteria. Sort the result chronologically. The signature that contained the triggering "tag" should preceed the tagged packets in the output. If it doesn't, repeat the same procedure with the destination address. Jeff ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tagged Packet ... AAAHHH Michael Gale (Oct 29)
- Re: Tagged Packet ... AAAHHH Joel Esler (Oct 29)
- Re: Tagged Packet ... AAAHHH Jeff Kell (Oct 30)
- Re: Tagged Packet ... AAAHHH Dirk Geschke (Oct 30)
- Re: Tagged Packet ... AAAHHH Joel Esler (Oct 30)
- Re: Tagged Packet ... AAAHHH Joel Esler (Oct 29)