[Snort-devel] tagaction feature commentary request ( diff against 1.8.3 )

Chris Green cmg at ...81...
Fri Jan 4 21:35:03 EST 2002

Tags are my favorite part of snort right now.  They have increased my
ability to handle tons of alerts with snort and have rules that I can
catch full out rootkit installs and response replies from various

Now one thing that sucks is keeping track of rule revisions and the
tags I have to add on to each rule as they happen.  Oinkmaster ( cool
idea btw for out of the way rule updating ) could have done this but I
like the idea of having a include tags.config and defining my tag
actions separately from the rules themselves

to do this, I've done tagactions and tags that work on a rule AFTER it
has already been defined.  

tagactions are variables that declare a specific "tag type".  This is
the same arguments as are used for the tag: rules option


config tagaction:  host_tagging, host, 300, seconds

defines a "host_tagging" tagaction with a value of "host, 300, seconds"

now I've also added a tag config option that allows one to take these
tagactions and apply them to a specific sid.  sids are important.
make sure your personal rules get them and they are distinct.

Now lets say we have a simple rule

# alert anytime someone says wee to our webserver
alert tcp any any -> any 80 (content: "wee"; msg: "wee"; sid: 123123;)

config tag: host_tagging, 123123

applies the "host_tagging" action to the rule with SID of 123123

this is now just like having a rule that was written to be:
alert tcp any any -> any 80 (content: "wee"; msg: "wee"; \
            sid: 123123; tag: host, 300, seconds;)

but if we are careful, magical tools like diff and cvs will now work
and tell us the differences between snort's rules and ours and when
revs are bumped we don't have to worry about getting our tag action
right again.

I've only tested this quickly and this is a product of this evening's
canceled dinner plans so caveat emptor.


have the tag application process occur at the END of rules processing
no matter when it's defined.

better action names?


This is a diff against snort-1.8.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: tagaction.patch.gz
Type: application/octet-stream
Size: 2357 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020104/56c43aa7/attachment.obj>
-------------- next part --------------

Chris Green <cmg at ...81...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

More information about the Snort-devel mailing list