[Bro-Dev] $tag in notice_info
robin at icir.org
Mon Mar 7 13:37:13 PST 2011
On Mon, Mar 07, 2011 at 13:05 -0500, you wrote:
> Is there anyone around that can explain the purpose of the $tag field in the notice_info type?
It uniquely identifies the NOTICE and can then be used at other
locations to refer to it. The only use of it I recall right now is in
conn.log: the relevant connection shows the tag in the addl field.
I'm actually not sure how helpful having the tag is, I don't think
I've ever used the tag but always grep for the 4-tuple right away.
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev