Hosting Provided By

[Snort-devel] tag behavior in 2.0.6+

From: Andreas Östling <andreaso(at)it.su.se>
Date: Sat Feb 28 2004 - 11:16:44 EST

Hello,

>From 2.0.5 to 2.0.6 there was a change in the tag logic. In 2.0.5 and
earlier, "tag:host,src,10,seconds;" meant that if there was an alert where host Foo was src, all packets to or from Foo were logged the following 10 seconds. In 2.0.6 and later (including 2.1.1) however, the same tag statement logs all packets the following 10 seconds only where Foo is src, instead of src or dst.

It looks like this change was intentional (by removing the reverse host tag list check in tag.c). This really changes how tagging works and personally I really don't like the new behavior. Can an option at least be added to revert to old behavior?

/Andreas

SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Sat Feb 28 11:23:27 2004

This message: [ Message body ]
Next message: Gaurav_Jindal: "[Snort-devel] how to add new function to snort ow to use debug option"
Previous message: jayesh: "[Snort-devel] restarting snort as a daemon process"
Next in thread: Russell Fulton: "Re: [Snort-devel] tag behavior in 2.0.6+"
Reply: Russell Fulton: "Re: [Snort-devel] tag behavior in 2.0.6+"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:10 EDT