[Snort-devel] RFE: improving generation of event_ref

Alex Butcher, ISC/ISYS Alex.Butcher at ...2437...
Thu Oct 7 06:09:27 EDT 2004


Hi -

Has anyone had any thoughts on improving the 'randomness' of the event_ref 
field used to associate tagged packets with their parent alert?

I ask, because if snort is restarted, the event_ref counter resets, and 
tagged packets that were associated with an alert raised in a previous 
instance of snort may have the same event_ref as alerts raised by the 
current run.

Could event_ref be a hash of the parent alert's 4-tuple (i.e. src addr, dst 
addr, sport, dport) or something? Combining a timestamp into the hash might 
be a good idea, too.

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-devel mailing list