[Snort-devel] Unified2 Record Order

beenph beenph at ...2499...
Sat Jun 4 12:08:36 EDT 2011


On Sat, Jun 4, 2011 at 11:44 AM, Steven Sturges <ssturges at ...402...> wrote:
> Yes, this is possible... When tagging packets associated with
> events, subsequent packets are logged as they arrive, and could
> be interspersed with other events and packets.
>

> Within the unified2 structure, there is an event ID, and all
> data associated with a unique event are logged with that event ID.
>
> That includes the event itself, any associated packets, as well
> as extra data events (eg, X-Forwarded-For data from HTTP that was
> added in 2.9.0).
>
> Hope this helps.
>
> Cheers.
> -steve
>


But events they way they are logged are logged with a event header and
a packet header if needed right?


[UNIFIED2 EVENT 1]
[UNIFIED2 PACKET 1]

[UNIFIED2 EVENT 2]
[UNIFIED2 PACKET 2]

[UNIFIED2 EVENT 3]
[UNIFIED2 PACKET 3]


And not

[UNIFIED2 EVENT 1]
[UNIFIED2 EVENT 2]

[UNIFIED2 EVENT 3]
[UNIFIED2 PACKET 2]
[UNIFIED2 PACKET 3]
[UNIFIED2 PACKET 1]


Right?

Thanks in advance.
-elz




More information about the Snort-devel mailing list