From: Humes, David G. <David.H<umes@jh...> - 2006-06-09 18:27:00
As I understand it now, the unified output snort plugin writes stream4
reassembled packets to the log file as the individual packets that
caused the alert rather than as stream4 uberpackets. The first packet
is associated with the alert, and subsequent packets are logged as
tagged packets. The problem is how to manage the tagged packets. They
tend to clutter up the database and need to periodically removed. But,
you have to be careful not to delete tagged packets associated with
alerts that you want to keep. Otherwise you lose part of the payload
that triggered the alert. Since we use BASE, I was wondering if the
BASE team was giving consideration to a way to present tagged packets
with their associated alerts. This would give the analyst access to the
entire payload that triggered the alert and also provide a way to delete
tagged packets when deleting the associated alerts.
Secureideas-base-user mailing list
Get latest updates about Open Source Projects, Conferences and News.