[Snort-devel] Proposal for Tagged Packets

Chris Green cmg at ...402...
Fri Mar 28 05:38:24 EST 2003

Matthew Callaway <matt at ...807...> writes:

> Snort crew,
> Congrats on 2.0.0rc1.  Pretty exciting to see the official 2.0.0 almost
> here.
> I've been curious to see how the tag functionality evolves, given the
> statement in the 1.9.1 manual that dynamic rules are being phased out.
> Taking a look at the 2.0.0rc1 code, in detect.c, I see that the current
> tag function appears to log packets for a given duration after a tag
> rule is triggered, to allow a person to make decisions about the results
> of an attack.
> It seems to me that a more powerful function would be to use tags to
> apply subsequent rules to a given stream, and thus to allow snort to do
> the checking to see if an attack was successful or not.  For example:
> Rule 1: look for anonymous ftp login, tag and watch the next N packets
> Rule 2: in the tagged stream, look for a different rule match and alert if so.

That's why tagging is meant to replace activate/dynamic junk. Simply
being tagged might be too broad of a constraint on busy networks but
something like that will be figured out during the 2.1 dev cycle

Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.

More information about the Snort-devel mailing list