[Snort-devel] 2 Questions about tag option

Lawrence Reed Lawrence.Reed at ...1489...
Wed Mar 26 08:17:10 EST 2003


Has the tag rule option changed in 2.0?  In particular should "tag: 
host, packets, 300, src" still work?  It looks like the src and dst 
attributes are no longer functioning.  My testing shows that tag host 
really means tag host src AND dst regardless of which (src or dst) you 
specify.

Second question?  How does tagging interact with stream reassembly?  My 
testing shows tagged packets getting logged twice, first individual 
packets and then again as one packet, presumably from stream reassembly.  

I have found the packet tagging to be an extremely useful feature.  I 
use it extensively to capture packets after a particular attack so that 
I can determine the success of the attack.



-- 
Larry Reed  Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772






More information about the Snort-devel mailing list