[Snort-devel] 2 Questions about tag option

Chris Green cmg at ...402...
Thu Mar 27 05:55:02 EST 2003


"Lawrence Reed" <Lawrence.Reed at ...1489...> writes:

> Has the tag rule option changed in 2.0?  In particular should "tag:
> host, packets, 300, src" still work?  It looks like the src and dst
> attributes are no longer functioning.  My testing shows that tag host
> really means tag host src AND dst regardless of which (src or dst) you
> specify.

Need to go test that out.

>
> Second question?  How does tagging interact with stream reassembly?
> My testing shows tagged packets getting logged twice, first individual
> packets and then again as one packet, presumably from stream
> reassembly.  I have found the packet tagging to be an extremely useful
> feature.  I use it extensively to capture packets after a particular
> attack so that I can determine the success of the attack.
>

Yeah it does do both.  It should probably be changed to ignore rebuilt
packets.
-- 
Chris Green <cmg at ...402...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-devel mailing list