[Snort-sigs] Question about the 'tag' keyword

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Sat Dec 4 17:18:50 EST 2010


Hello.

I was looking at the Snort manual and reading about the 'tag' keyword
and it says this:

   Format
   tag: <type>, <count>, <metric>, [direction];

But one of the examples has this (page 174):

   tag:host,0,packets,600,seconds,src;

So I guess my question is, can you really do multiple <count> and
<metric> in the same rule?  If so, what takes precedence?

Thanks.

-L0rd Ch0de1m0rt




More information about the Snort-sigs mailing list