Thu Nov 23 16:31:58 EST 2017
earlier, "tag:host,src,10,seconds;" meant that if there was an alert
where host Foo was src, all packets to or from Foo were logged the
following 10 seconds. In 2.0.6 and later (including 2.1.1) however, the
same tag statement logs all packets the following 10 seconds only where
Foo is src, instead of src or dst.
It looks like this change was intentional (by removing the reverse host
tag list check in tag.c). This really changes how tagging works and
personally I really don't like the new behavior. Can an option at least
be added to revert to old behavior?
More information about the Snort-devel