[Snort-devel] Unified2 Record Order

Steven Sturges ssturges at ...402...
Sat Jun 4 11:44:09 EDT 2011


Yes, this is possible... When tagging packets associated with
events, subsequent packets are logged as they arrive, and could
be interspersed with other events and packets.

Within the unified2 structure, there is an event ID, and all
data associated with a unique event are logged with that event ID.

That includes the event itself, any associated packets, as well
as extra data events (eg, X-Forwarded-For data from HTTP that was
added in 2.9.0).

Hope this helps.

Cheers.
-steve

On 6/3/11 6:10 PM, firnsy wrote:
> G'day Snort dev,
>
> I need some clarification regarding the record order in unified2 files.
>
> Is it possible to receive a Packet record (1) at a later stage in the
> file that is associated with an earlier Event (A) record, which has a
> number of unrelated Event (B,C, ...) and Packet (2, 3, ...) records in
> between?
>
> For example (hopefully it makes sense):
>
> ...A1111B2C3D44444441E5 ...
>
> I have the feeling I've seen this before, and it was a packet from a
> portscan even that occurred previously, but other events had occurred
> (and had been written) in between. This was a long time ago though, and
> I'm now kinda doubting if I saw it at all.
>
> It seems entirely possible this can happen, particularly with portscan
> events/packets, but I just want to make sure.
>
> Regards,
> firnsy
>
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with vRanger.
> Installation's a snap, and flexible recovery options mean your data is safe,
> secure and there when you need it. Discover what all the cheering's about.
> Get your free trial download today.
> http://p.sf.net/sfu/quest-dev2dev2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list