[Snort-users] question regarding tag modifier

James Dickenson jdickenson at ...11827...
Tue Jul 9 13:06:40 EDT 2013

I have, perhaps a dumb, question regarding the tag modifier for rules.  I
have some rules that I want to add 'tag:session,20,seconds' or something
similar.  What I was hoping to get clarification on is what mechanism is
used to determine if the session ends and it no longer writing packets to
disk.  Does snort merely capture any traffic between the ip/port pair for
the duration or does it have some logic to realize the session has been
closed down via FIN or RST flag.

Basically I'm trying to determine if there is a performance impact with
adding tag:session for long durations (10-30 seconds).  I realize that
there is waaay more significant factors when tuning a sensor/ruleset.  But
please humor me in my quest for knowledge!


-James D.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130709/f5847ae0/attachment.html>

More information about the Snort-users mailing list