[Snort-devel] Unified2 Record Order

Steven Sturges ssturges at ...402...
Sat Jun 4 18:15:06 EDT 2011


Generally that is true.

However if there is more than one packet logged with an event, others
may be logged later.

On 6/4/11 12:08 PM, beenph wrote:
> On Sat, Jun 4, 2011 at 11:44 AM, Steven Sturges<ssturges at ...402...>  wrote:
>> Yes, this is possible... When tagging packets associated with
>> events, subsequent packets are logged as they arrive, and could
>> be interspersed with other events and packets.
>>
>
>> Within the unified2 structure, there is an event ID, and all
>> data associated with a unique event are logged with that event ID.
>>
>> That includes the event itself, any associated packets, as well
>> as extra data events (eg, X-Forwarded-For data from HTTP that was
>> added in 2.9.0).
>>
>> Hope this helps.
>>
>> Cheers.
>> -steve
>>
>
>
> But events they way they are logged are logged with a event header and
> a packet header if needed right?
>
>
> [UNIFIED2 EVENT 1]
> [UNIFIED2 PACKET 1]
>
> [UNIFIED2 EVENT 2]
> [UNIFIED2 PACKET 2]
>
> [UNIFIED2 EVENT 3]
> [UNIFIED2 PACKET 3]
>
>
> And not
>
> [UNIFIED2 EVENT 1]
> [UNIFIED2 EVENT 2]
>
> [UNIFIED2 EVENT 3]
> [UNIFIED2 PACKET 2]
> [UNIFIED2 PACKET 3]
> [UNIFIED2 PACKET 1]
>
>
> Right?
>
> Thanks in advance.
> -elz
>




More information about the Snort-devel mailing list