The tag keyword allows tagging of the current and future packets.
Tagged packets can be logged in EVE and conditional PCAP logging.
Tagging is limited to a scope: host or session (flow). When using host a direction can be specified: src or dst. Tagging will then occur based on the src or dst IP address of the packet generating the alert.
Tagging is further controlled by count: packets, bytes or seconds. If the count is ommited built-in defaults will be used:
for session: 256 packets
for host: 256 packets for the destination IP of the packet triggering the alert
The tag keyword can appear multiple times in a rule.
Values for scope: session and host Values for metric: packets, bytes, seconds Values for direction: src and dst
"direction" can only be specified if scope is "host" and both "count" and "metric" are also specified.
tag:session; # tags next 256 packets in the flow tag:host; # tags next 256 packets for the dst ip of the alert tag:host,100,packets,src; # tags next 100 packets for src ip of the alert tag:host,3600,seconds,dst; # tags packets for dst host for the next hour
Full rule examples:
alert dns any any -> any any (dns.query; content:"evil"; tag:host,60,seconds,src; sid:1;)
alert http any any -> any any (http.method; content:"POST"; tag:session; sid:1;)
8.47.4. Tracking by Host/Flow
When the tags are using the session scope, the tag is added to the Flow structure. If a packet has no flow, no tagging will happen. No errors/warnings are generated for this.
See Flow Settings for managing flow limits and resources.
When tags are using the host scope, the tag is stored with a Host object in the host table. The Host table size will affect effectiveness of per host tags.
See Host Settings for managing host table size.