Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Managing tagged packets

From: "Humes, David G." <David.Humes () jhuapl edu>
Date: Fri, 9 Jun 2006 14:26:32 -0400
As I understand it now, the unified output snort plugin writes stream4
reassembled packets to the log file as the individual packets that
caused the alert rather than as stream4 uberpackets.  The first packet
is associated with the alert, and subsequent packets are logged as
tagged packets.  The problem is how to manage the tagged packets.  They
tend to clutter up the database and need to periodically removed.  But,
you have to be careful not to delete tagged packets associated with
alerts that you want to keep.  Otherwise you lose part of the payload
that triggered the alert.  Since we use BASE, I was wondering if the
BASE team was giving consideration to a way to present tagged packets
with their associated alerts.  This would give the analyst access to the
entire payload that triggered the alert and also provide a way to delete
tagged packets when deleting the associated alerts.

--Dave


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: