Project

General

Profile

Actions

Support #1869

closed

Tag rule option

Added by gv oleg over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Hello, what is status of 'tag' rule option? Can it be used? May be in master.

My latest suricata version (3.0.1) doesn't support it. Is latest 3.1.1 supports it?

I need very much ability to alert on some number of packets after given rule alerted.

Thanks!

Actions #1

Updated by Jason Ish over 7 years ago

The tag option should be supported, as in it should not error out. However, logging of tagged packets was broken in unified2 (the only output that currently supports tagging).

Or did you mean something else by not supported?

Actions #2

Updated by Victor Julien over 7 years ago

  • Tracker changed from Feature to Support
Actions #3

Updated by gv oleg over 7 years ago

Yes, i've checked,that this option (tag) is correctly parsed, but unified2 binary log doesn't contains tagged packets.

So, how much time to wait for fix-up? Month or half-year for example. May be some rough time prognosis exist about fixing up unifdied2 logging of tagged packets?

It's important to me to know: start to learn code and try to correct it by my own or wait for your fixup.

Actions #4

Updated by Jason Ish over 7 years ago

  • Status changed from New to Closed

Ok, you'll want to checkout the git master version of Suricata, it fixes tagging for unified2 alerts. It will also be in the next patch release which shouldn't be too far away.

Actions #5

Updated by gv oleg over 7 years ago

As I've seen in https://github.com/inliniac/suricata/pull/2199 - tag logging is now working but only for Eve-logging.

So for unified2 is not planning to fix tagging packets in nearest future?

Actions #6

Updated by Victor Julien over 7 years ago

Fixed in #1854

Actions

Also available in: Atom PDF