tag:host

["Xin, Qiao" <qxin () cio sc gov>]

Hi,

I have a question on how the tag:host works. I have a rule based on the content of the packet as

alert udp $HOME_NET any -> any any (msg:"suspicious traffic--";content:"bad content";nocase; tag:host, 60, packets, 
dst; classtype:bad-unknown;sid:1000001;rev:0;)

I want to capture traffic of coming from any HOME_NET host to the destination IP in the alert packets.
Will "tag:host" and the "dst" option work?
If it works, in which file will the captured packets by the tag:host be stored?
How can we easily associate the packets captured by the tag:host action with the packets captured by the snort alert?

Thanks,
Qiao
-------------------




------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!