[Snort-devel] tag behavior in 2.0.6+

Russell Fulton r.fulton at ...1343...
Sat Feb 28 18:28:02 EST 2004


On Sun, 2004-02-29 at 05:16, Andreas Östling wrote:

> It looks like this change was intentional (by removing the reverse host 
> tag list check in tag.c). This really changes how tagging works and
> personally I really don't like the new behavior. Can an option at least 
> be added to revert to old behavior?

I support this request.  The old behaviour allows one to capture
responses to actions by a would be intruder.  Often these are enough to
confirm whether or not the attack succeeded.

One supplementary question: does snort include anything in the log which
links the tagged packets with the packet that caused the tagging to take
place?   I'm getting tagged packets turning up in ACID and I can't
figure out where they are from...
 
-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!






More information about the Snort-devel mailing list