[Snort-devel] Q: what is a tag?

Martin Roesch roesch at ...402...
Mon May 28 01:31:34 EDT 2001


Tagging is dynamic follow-on logging capability.  It's sort of a hedge
for the activate/dynamic rules, which couldn't be tuned for the specific
hosts of interest in an event.  Basically, if you want to see what
happens after an event, you need to set a tag on the host/session that
caused the alert to go off in the first place.  We do this in Snort
using the new (1.8) "tag" keyword.  For example:

alert tcp any any -> $HOME_NET 143 (content: "boom"; dsize: >1000; \
                                    msg: "IMAP buffer overflow";   \
                                    tag: host, 300, seconds, src;)

If this notional "buffer overflow" rule were to be activated, it'd start
logging all activity to and from the src host in the attack packet for
the next 300 seconds (5 minutes).

      -Marty

Bart van Kuik wrote:
> 
> I've been digging through the source to figure out how it works.
> 
> Now I find in rules.c, line 3397 a call to CheckTagList(). But what is a TagNode? I can't figure it out from tag.h alone....
> 
> TIA
> Bart
> 
> --
> Check http://www.vankuik.nl/~bart/ for GPG public key
> --
> Actual war is a very messy business.  Very, very messy business.
>                 -- Kirk, "A Taste of Armageddon", stardate 3193.0
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list