[Snort-devel] Re: [Snort-users] New Feature: tagging

Brian Caswell bmc at ...227...
Thu Feb 15 12:39:58 EST 2001


Martin Roesch wrote:
>      I've been working on this one for the past week or so and I think
> you're going to like it.  What I've implemented is the ability for Snort
> to follow sessions/hosts that cause alerts.  For instance, if you've got
> an alert where you'd really like to follow along for a given period or
> number of packets, you can now tell Snort to "tag" the session (or host)
> that caused the alert to go off and log all applicable packets.

- rules without a tag give a warning.  (attached is a patch to fix that)
- adding "tag:session,10,seconds;" and then reading a 1 second tcpdump 
  file makes snort sit and wait forever.  (NOTE: I started snort with a
  tag and a small tcpdump file before I started writing this e-mail, and 
  its still waiting.  snort usually takes about .5 seconds to process
this
  file)
- there is no limit to max number of tags.  try adding the following
rule, 
  and then nmap yourself.  Snort coredumped after around 2190 sessions 
  being opened. (all under 10 seconds, so every packet was trying to 
  create a new TAG, or was being added to the same tag)

alert tcp any any -> anny any (msg:"test"; tag:session,10,seconds;)

Other than that, it looks good.

-brian
-------------- next part --------------
Index: tag.c
===================================================================
RCS file: /cvsroot/snort/snort/tag.c,v
retrieving revision 1.2
diff -u -r1.2 tag.c
--- tag.c	2001/02/15 05:54:48	1.2
+++ tag.c	2001/02/15 22:21:23
@@ -327,20 +327,23 @@
 
     if(otn != NULL)
     {
-        switch(otn->tag_type)
+        if (otn->tag_type != NULL)
         {
-            case TAG_SESSION: 
-                TagSession(p, otn->tag_count, otn->tag_metric, p->pkth->ts.tv_sec);
-                break;
+            switch(otn->tag_type)
+            {
+                case TAG_SESSION: 
+                    TagSession(p, otn->tag_count, otn->tag_metric, p->pkth->ts.tv_sec);
+                    break;
 
-            case TAG_HOST:
-                TagHost(p, otn->tag_direction, otn->tag_count, 
-                        otn->tag_metric, p->pkth->ts.tv_sec);
-                break;    
-
-            default:
-                printf("WARNING: Trying to tag with unknown tag type!\n");
-                break;    
+                case TAG_HOST:
+                    TagHost(p, otn->tag_direction, otn->tag_count, 
+                            otn->tag_metric, p->pkth->ts.tv_sec);
+                    break;    
+    
+                default:
+                    printf("WARNING: Trying to tag with unknown tag type!\n");
+                    break;    
+            }
         }
     }
 #ifdef DEBUG


More information about the Snort-devel mailing list