[Snort-devel] bug with 'tag' on OpenBSD 3.3+

Jon Hart warchild at ...1775...
Sun Sep 7 14:00:04 EDT 2003

On Tue, Sep 02, 2003 at 08:33:18AM -0400, Chris Green wrote:
> Yeah... Note: update docs is the N^Nth item on my todo list :(
> Patches to snortman.tex accepted :)

Done.  Just a minor update to the Tag and Database sections to note that
spo_database won't handle tagged alerts properly, plus some minor

Hope this helps,

-------------- next part --------------
--- snort-orig/doc/snortman.tex	2003-09-06 03:15:16.000000000 -0400
+++ snort-new/doc/snortman.tex	2003-09-07 16:52:09.000000000 -0400
@@ -1830,9 +1830,13 @@
 The tag keyword allow rules to log more than just the single packet
 that triggered the rule. Once a rule is triggered, additional traffic
-involving the source host is ``tagged''. Tagged traffic is logged
-to allow analysis of response codes and post-attack traffic. See Figure
-\ref{tag keyword example} for usage examples.
+involving the source and/or destionation host is ``tagged''. Tagged 
+traffic is logged to allow analysis of response codes and post-attack traffic.
+``tagged'' alerts will be sent to the same output plugins as the original alert,
+but it is the responsibility of the output plugin to properly handle these special 
+alerts.  Currently, the database output plugin, described in Section \ref{database 
+section}, does not properly handle ``tagged'' alerts.
+See Figure \ref{tag keyword example} for usage examples.
@@ -2912,7 +2916,7 @@
+\subsection{Database \label{database section}}
 This module from Jed Pickel sends Snort data to a variety of SQL databases.
 More information on installing and configuring this module can be
@@ -2992,6 +2996,9 @@
 the plugin. These are MySQL, PostgreSQL, Oracle, and unixODBC-compliant
 databases. Set the type to match the database you are using.
+Note that this output plugin does not have the ability to handle alerts that
+are generated by using the tag keyword.  See Section \ref{tag section} for more details.

More information about the Snort-devel mailing list