[Snort-devel] Unified2 Record Order
firnsy at ...3030...
Fri Jun 3 18:10:39 EDT 2011
G'day Snort dev,
I need some clarification regarding the record order in unified2 files.
Is it possible to receive a Packet record (1) at a later stage in the
file that is associated with an earlier Event (A) record, which has a
number of unrelated Event (B,C, ...) and Packet (2, 3, ...) records in
For example (hopefully it makes sense):
I have the feeling I've seen this before, and it was a packet from a
portscan even that occurred previously, but other events had occurred
(and had been written) in between. This was a long time ago though, and
I'm now kinda doubting if I saw it at all.
It seems entirely possible this can happen, particularly with portscan
events/packets, but I just want to make sure.
More information about the Snort-devel