Snort - the de facto standard for intrusion detection/prevention
the de facto standard for IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Example Up: tag Previous: tag   Contents

Format 

tag: <type>, <count>, <metric>, [direction]

type
 
  • session - Log packets in the session that set off the rule
  • host - Log packets from the host that caused the tag to activate (uses [direction] modifier)
count
- Count is specified as a number of units. Units are specified in the $<$metric$>$ field.
metric
 
  • packets - Tag the host/session for $<$count$>$ packets
  • seconds - Tag the host/session for $<$count$>$ seconds

Note, any packets that generate an alert will not be tagged. For example, it may seem that the following rule will tag the first 600 seconds of any packet involving 10.1.1.1. 

alert tcp any any <> any 10.1.1.1 (tag:host,600,seconds,src;)

However, since the rule will fire on every packet involving 10.1.1.1, no packets will get tagged. The flowbits option would be useful here. 

alert tcp any any <> any 10.1.1.1 (flowbits:isnotset,tagged; 
    flowbits:set,tagged; tag:host,600,seconds,src;)


Steven Sturges 2006-12-08
Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.