No subject


Thu Nov 23 16:31:58 EST 2017


earlier, "tag:host,src,10,seconds;" meant that if there was an alert 
where host Foo was src, all packets to or from Foo were logged the 
following 10 seconds. In 2.0.6 and later (including 2.1.1) however, the 
same tag statement logs all packets the following 10 seconds only where 
Foo is src, instead of src or dst.

It looks like this change was intentional (by removing the reverse host 
tag list check in tag.c). This really changes how tagging works and
personally I really don't like the new behavior. Can an option at least 
be added to revert to old behavior?

/Andreas




More information about the Snort-devel mailing list