[Bro-Dev] $tag in notice_info

Robin Sommer robin at icir.org
Mon Mar 7 13:37:13 PST 2011


On Mon, Mar 07, 2011 at 13:05 -0500, you wrote:

> Is there anyone around that can explain the purpose of the $tag field in the notice_info type?

It uniquely identifies the NOTICE and can then be used at other
locations to refer to it. The only use of it I recall right now is in
conn.log: the relevant connection shows the tag in the addl field.

I'm actually not sure how helpful having the tag is, I don't think
I've ever used the tag but always grep for the 4-tuple right away.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the bro-dev mailing list