[Snort-devel] Unified2 Record Order

firnsy firnsy at ...3030...
Fri Jun 3 18:10:39 EDT 2011


G'day Snort dev,

I need some clarification regarding the record order in unified2 files.

Is it possible to receive a Packet record (1) at a later stage in the 
file that is associated with an earlier Event (A) record, which has a 
number of unrelated Event (B,C, ...) and Packet (2, 3, ...) records in 
between?

For example (hopefully it makes sense):

...A1111B2C3D44444441E5 ...

I have the feeling I've seen this before, and it was a packet from a 
portscan even that occurred previously, but other events had occurred 
(and had been written) in between. This was a long time ago though, and 
I'm now kinda doubting if I saw it at all.

It seems entirely possible this can happen, particularly with portscan 
events/packets, but I just want to make sure.

Regards,
firnsy




More information about the Snort-devel mailing list