[Snort-devel] 2 Questions about tag option
cmg at ...402...
Thu Mar 27 05:55:02 EST 2003
"Lawrence Reed" <Lawrence.Reed at ...1489...> writes:
> Has the tag rule option changed in 2.0? In particular should "tag:
> host, packets, 300, src" still work? It looks like the src and dst
> attributes are no longer functioning. My testing shows that tag host
> really means tag host src AND dst regardless of which (src or dst) you
Need to go test that out.
> Second question? How does tagging interact with stream reassembly?
> My testing shows tagged packets getting logged twice, first individual
> packets and then again as one packet, presumably from stream
> reassembly. I have found the packet tagging to be an extremely useful
> feature. I use it extensively to capture packets after a particular
> attack so that I can determine the success of the attack.
Yeah it does do both. It should probably be changed to ignore rebuilt
Chris Green <cmg at ...402...>
Fame may be fleeting but obscurity is forever.
More information about the Snort-devel