question regarding tag modifier

[James Dickenson <jdickenson () gmail com>]

I have, perhaps a dumb, question regarding the tag modifier for rules.  I
have some rules that I want to add 'tag:session,20,seconds' or something
similar.  What I was hoping to get clarification on is what mechanism is
used to determine if the session ends and it no longer writing packets to
disk.  Does snort merely capture any traffic between the ip/port pair for
the duration or does it have some logic to realize the session has been
closed down via FIN or RST flag.

Basically I'm trying to determine if there is a performance impact with
adding tag:session for long durations (10-30 seconds).  I realize that
there is waaay more significant factors when tuning a sensor/ruleset.  But
please humor me in my quest for knowledge!

Thanks,

-James D.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!