[Snort-users] tag:host

Xin, Qiao qxin at ...17138...
Wed Apr 15 13:54:13 EDT 2015


I have a question on how the tag:host works. I have a rule based on the content of the packet as

alert udp $HOME_NET any -> any any (msg:"suspicious traffic--";content:"bad content";nocase; tag:host, 60, packets, dst; classtype:bad-unknown;sid:1000001;rev:0;)

I want to capture traffic of coming from any HOME_NET host to the destination IP in the alert packets.
Will "tag:host" and the "dst" option work?
If it works, in which file will the captured packets by the tag:host be stored?
How can we easily associate the packets captured by the tag:host action with the packets captured by the snort alert?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150415/4dcb7e0b/attachment.html>

More information about the Snort-users mailing list