[Snort-devel] RFE: improving generation of event_ref

Alex Butcher, ISC/ISYS Alex.Butcher at ...2437...
Fri Oct 8 02:18:19 EDT 2004


--On 07 October 2004 14:29 -0400 Martin Roesch <roesch at ...402...> 
wrote:

> I thought about having a packet serial that was something like
>
> typedef struct _PktSerial
> {
> 	u_int8_t  if_mac[6];
> 	time_t start_time;
>           u_int32_t pkt_id;
> } PktSerial;
>
> This would let us have a unique collection interface identifier, start
> time reference and an instance count for every packet and event.  I
> proposed this a few months ago and as I recall Frank Knobbe thought that
> tying the serial to the MAC was bad because interfaces can be changed on
> devices and for one other reason that I'm not remembering right now.  I
> contend that the MAC doesn't really matter except to give us a unique
> hardware identifier that can be referenced to identify Snort runs, but
> I'm not married to it or anything.

I don't think using MAC addresses would be a heinous crime, but I don't see 
that it buys much over the existing sid (sensor ID) field either.

Having had a look at the code now, and what information is available to the 
functions that set event_reference, perhaps an easy and better approach 
would be something like:

[at snort init]

        static u_int32_t snortsessrand;

[...]
        struct timeb tp;
        ftime(tp);
        srand(((unsigned int)tp.time<<16)|tp.millitm);
        snortsessrand=rand();

[later]
        event->event_reference=snortsessrand ^ event_id;

?

[snip]

> Just my thoughts on the topic.

Just mine. ;-)

>       -Marty

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-devel mailing list