The tag Keyword
Use the
tag keyword to tell the system to log additional
traffic for the host or session. Use the following syntax when specifying the
type and amount of traffic you want to capture using the
tag keyword:
tagging_type, count, metric, optional_direction
The next three tables describe the other available arguments.
You can choose from two types of tagging. The following table
describes the two types of tagging. Note that the session tag argument type
causes the system to log packets from the same session as if they came from
different sessions if you configure only rule header options in the intrusion
rule. To group packets from the same session together, configure one or more
rule options (such as a
flag keyword or
content keyword) within the same intrusion rule.
|
Argument |
Description |
|---|---|
|
session |
Logs packets in the session that triggered the rule. |
|
host |
Logs packets from the host that sent the packet that triggered
the rule. You can add a directional modifier to log only the traffic coming
from the host ( |
To indicate how much traffic you want to log, use the following argument:
|
Argument |
Description |
|---|---|
|
count |
The number of packets or seconds you want to log after the rule triggers. This unit of measure is specified with the metric argument, which follows the count argument. |
Select the metric you want to use to log by time or volume of traffic from those described in the following table.
Caution | High-bandwidth networks can see thousands of packets per second, and tagging a large number of packets may seriously affect performance, so make sure you tune this setting for your network environment. |
|
Argument |
Description |
|---|---|
|
packets |
Logs the number of packets specified by the count after the rule triggers. |
|
seconds |
Logs traffic for the number of seconds specified by the count after the rule triggers. |
For example, when a rule with the following
tag keyword value triggers:
host, 30, seconds, dst
all packets that are transmitted from the client to the host for the next 30 seconds are logged.