Re: question regarding tag modifier

[Joel Esler <jesler () sourcefire com>]

James,

The Stream preprocessor monitors when the session either ends, or the
time-out happens.  So yes, there is some logic involved (a lot of logic) to
monitor the session.


On Tue, Jul 9, 2013 at 1:06 PM, James Dickenson <jdickenson () gmail com>wrote:

> I have, perhaps a dumb, question regarding the tag modifier for rules.  I
> have some rules that I want to add 'tag:session,20,seconds' or something
> similar.  What I was hoping to get clarification on is what mechanism is
> used to determine if the session ends and it no longer writing packets to
> disk.  Does snort merely capture any traffic between the ip/port pair for
> the duration or does it have some logic to realize the session has been
> closed down via FIN or RST flag.
>
> Basically I'm trying to determine if there is a performance impact with
> adding tag:session for long durations (10-30 seconds).  I realize that
> there is waaay more significant factors when tuning a sensor/ruleset.  But
> please humor me in my quest for knowledge!
>
> Thanks,
>
> -James D.
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!