[Snort-devel] 2 Questions about tag option
Lawrence.Reed at ...1489...
Wed Mar 26 08:17:10 EST 2003
Has the tag rule option changed in 2.0? In particular should "tag:
host, packets, 300, src" still work? It looks like the src and dst
attributes are no longer functioning. My testing shows that tag host
really means tag host src AND dst regardless of which (src or dst) you
Second question? How does tagging interact with stream reassembly? My
testing shows tagged packets getting logged twice, first individual
packets and then again as one packet, presumably from stream reassembly.
I have found the packet tagging to be an extremely useful feature. I
use it extensively to capture packets after a particular attack so that
I can determine the success of the attack.
Larry Reed Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772
More information about the Snort-devel