The tag rule option is used to tell Snort to continue to log additional packets or bytes following a rule "event". Rule writers can specify whether to tag packets or bytes seen from both the source host and destination host, just the source host, or just the destination host. Furthermore, they can also control whether to log a certain number of packets or bytes, or to log all packets occurring over a specified number of seconds.

This rule option requires two arguments: (1) the tag type that defines from whom to log the packets and (2) the number of packets or bytes to log or the number of seconds to log for.


tag:{session|host_src|host_dst}, {packets packets|seconds seconds|bytes bytes};


# tag the next 10 packets from the entire session
tag:session, packets 10;
# tag the next 4000 bytes from the source IP address of the
# packet that generated the initial event
tag:host_src, bytes 4000;