I had the same problem. I found that some rules were doing the
tagging in the rule. They do this with the tag key word. Do a grep on
the rules folder for tag and you will find them.
I use oinkmaster to rewrite these rules. Here is an example of the
conf for oinkmaster that removes the tag key word from the bleeding-
virus.rules.
# remove tag from rules that create tagged packets in bleeding-
virus.rules.
modifysid bleeding-virus.rules "tag: session, 20, packets;" | ""
modifysid bleeding-virus.rules "tag: host,300,seconds,dst;" | ""
modifysid bleeding-virus.rules "tag: host,300,seconds,src;" | ""
modifysid bleeding-virus.rules "tag: session, 10, packets;" | ""
modifysid bleeding-virus.rules "tag: host,5,packets,src;" | ""
Oinkmaster also updates the rules everynight from both snort and
bleeding edge for us. It also updates the threashold file we use to
exculde rules. Since we are running 10 snort boxes it is a life saver.
Hope this helps.
Thank you
Gary Douglas
R&I, ResNet Administrator
University Computer Support Services
Western Illinois University
On May 26, 2006, at 6:37 AM, Dirk Geschke wrote:
Hi Rob,
I'm using Net BSD 3 current and Snort 2.4.4.
I can't suppress the 'Tagged Packet' alert which is producing
thousands of
false positives and swamping my database.
All other suppression and thresholding works fine.
I have the following in threshold.conf
# Suppress Tagged Packet
suppress gen_id 2, sig_id 1, track by_src, ip x.x.0.0/16
suppress gen_id 2, sig_id 1, track by_dst, ip x.x.0.0/16
gen-msg.map has the following:
2 || 1 || tag: Tagged Packet
is it possible that you use the unified output plugin?
In this case all rebuild packets from stream4 which raise an alert
are stored as the original individual packets. The first is associated
with the alert message and all further parts are labeled as "Tagged
Packet".
So in this case it will not help to suppress it this way. I fear
you have to tune your rules to reduce the number of alerts. (Or
you can use another output method, AFAIK only the unified output
plugin decomposes the rebuild packet with "Tagged Packets".)
Best regards
Dirk
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and
Risk!
Fully trained technicians. The highest number of Red Hat
certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?
cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
