Suricata

Using a simple rule I was unable to get tagged packets to log:

alert tcp any any -> any any (msg:"MY TEST RULE"; content:"START LOGGING"; flow: established; tag: session, 1000, packets; sid: 1; rev: 1;)

For tagged packets, pa-> is always NULL (https://github.com/inliniac/suricata/blob/master/src/alert-unified2-alert.c#L1068) as the PacketAlert returned by PacketAlertGetTag() is always NULL.

The cause is that PacketAlertTagInit() is never called to initialize this structure.

It looks like a quick fix is to just call PacketAlertTagInit(), which does result in tagged packets being logged. However, they are logged with a GID:2 event which is unified1 behaviour, not unified2.

Unified2 logs the tagged packets as a Packet record without a preceding Event record. It uses the event_id, and event_second to associate the packet record with its initiating alert record, which is a better method than the unified2 way.