Hi all,
Bleeding snort rule with sid 2001879 (Joe Stewart) contains:
tag : 200 ;
and I'm not too sure what this does.
The tag directive is listed in the documentation as:
3.7.5 tag
The tag keyword allow rules to log more than just the single packet
that triggered the rule. Once a rule is triggered, additional traffic
involving the source and/or destination host is tagged. Tagged
traffic is logged to allow analysis of response codes and post-attack
traffic. tagged alerts will be sent to the same output plugins as the
original alert, but it is the responsibility of the output plugin to
properly handle these special alerts. Currently, the database output
plugin, described in Section 2.5.6, does not properly handle tagged
alerts.
Format
tag: <type>, <count>, <metric>, [direction]
Which seems to imply that tag requires either three or four parameters.
This looks like another instance of the snort rule parser being overly
permissive in what it accepts.
Anyone have any light to shine on this?
Cheers,
Erik
--
-------------------------------------------------------
[N] Erik de Castro Lopo, Senior Computer Engineer
[E] erik.de.castro.lopo@sensorynetworks.com
[W] http://www.sensorynetworks.com
[T] +61 2 83022726
[F] +61 2 94750316
[A] L6/140 William St, East Sydney NSW 2011, Australia
-------------------------------------------------------
A good debugger is no substitute for a good test suite.
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
