Support #1869
closedTag rule option
Description
Hello, what is status of 'tag' rule option? Can it be used? May be in master.
My latest suricata version (3.0.1) doesn't support it. Is latest 3.1.1 supports it?
I need very much ability to alert on some number of packets after given rule alerted.
Thanks!
Updated by Jason Ish over 7 years ago
The tag option should be supported, as in it should not error out. However, logging of tagged packets was broken in unified2 (the only output that currently supports tagging).
Or did you mean something else by not supported?
Updated by Victor Julien over 7 years ago
- Tracker changed from Feature to Support
Updated by gv oleg over 7 years ago
Yes, i've checked,that this option (tag) is correctly parsed, but unified2 binary log doesn't contains tagged packets.
So, how much time to wait for fix-up? Month or half-year for example. May be some rough time prognosis exist about fixing up unifdied2 logging of tagged packets?
It's important to me to know: start to learn code and try to correct it by my own or wait for your fixup.
Updated by Jason Ish over 7 years ago
- Status changed from New to Closed
Ok, you'll want to checkout the git master version of Suricata, it fixes tagging for unified2 alerts. It will also be in the next patch release which shouldn't be too far away.
Updated by gv oleg over 7 years ago
As I've seen in https://github.com/inliniac/suricata/pull/2199 - tag logging is now working but only for Eve-logging.
So for unified2 is not planning to fix tagging packets in nearest future?