[unisog] Snort woes
michael.holstein at csuohio.edu
Mon Jan 24 18:23:38 GMT 2005
The 'tag' directive is used on many of the bleedingsnort.org rules ..
See section 3.7.5 of the Snort users manual :
If you're using the "database" output plugin, all those 'tagged' packets
all show up under the same Sig_ID and there isn't an effective way (that
I'm aware of) to get a DB frontend to reassemble them for you. This is,
in my opinion, more than a 'little' annoying.
If you're using Oinkmaster for rule management, it's a trivial matter to
setup the config to strip the 'tag, 20, pakets' out of each line (the
same can be done with simple 'ol sed, perl, awk, etc.).
Michael Holstein CISSP GCIA
Cleveland State University
PS : while we're on the subject, does anyone know of a frontend for the
snort_db that can graphically reassemble the packets generated under the
'tag' directive? Or an easy to post-process them into a tcpdump file
(without using the binary mode)?
More information about the unisog