[unisog] Snort woes

Michael Holstein michael.holstein at csuohio.edu
Mon Jan 24 18:23:38 GMT 2005


The 'tag' directive is used on many of the bleedingsnort.org rules ..

See section 3.7.5 of the Snort users manual :
http://www.snort.org/docs/snort_manual/node21.html#SECTION00475000000000000000

If you're using the "database" output plugin, all those 'tagged' packets 
all show up under the same Sig_ID and there isn't an effective way (that 
I'm aware of) to get a DB frontend to reassemble them for you. This is, 
in my opinion, more than a 'little' annoying.

If you're using Oinkmaster for rule management, it's a trivial matter to 
setup the config to strip the 'tag, 20, pakets' out of each line (the 
same can be done with simple 'ol sed, perl, awk, etc.).

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

PS : while we're on the subject, does anyone know of a frontend for the 
snort_db that can graphically reassemble the packets generated under the 
'tag' directive? Or an easy to post-process them into a tcpdump file 
(without using the binary mode)?



More information about the unisog mailing list