[Snort-devel] Unified2 Record Order

beenph beenph at ...2499...
Mon Jun 6 11:12:47 EDT 2011


On Mon, Jun 6, 2011 at 10:43 AM, Steven Sturges <ssturges at ...402...> wrote:
> This is already there within the unified2 packet event structure.
> There are fields for the event_id and both the seconds from the
> origianal event, as well as the packet timestamp.
>
> typedef struct _Serial_Unified2Packet
> {
>    uint32_t sensor_id;
>    uint32_t event_id;
>    uint32_t event_second;
>    uint32_t packet_second;
>    uint32_t packet_microsecond;
>    uint32_t linktype;
>    uint32_t packet_length;
>    uint8_t packet_data[4];
> } Serial_Unified2Packet;
>

Well this touch what i was trying to express from my understanding,
but if you look how a call to
CheckTagging in Decode.c unwind, it will call CheckTagList .

If a event is found, CheckTagList will set reference time and event id
from "returned" event.
tag.c CheckTagList(Packet *p, Event *event)
<SNIP>
 if (create_event)
        {
            /* set the event info */
            SetEvent(event, GENERATOR_TAG, TAG_LOG_PKT, 1, 1, 1,
                    returned->event_id);
            /* set event reference details */
            event->ref_time.tv_sec = returned->event_time.tv_sec;
            event->ref_time.tv_usec = returned->event_time.tv_usec;
            event->event_reference = returned->event_id | ScEventLogId();
        }
</SNIP>

Then CheckTagging will call CallLogFuncs
And it will do the following

event->ref_time.tv_sec = p->pkth->ts.tv_sec;
 event->ref_time.tv_usec = p->pkth->ts.tv_usec;

>From my understanding this will remove reference set by CheckTagList to put back
time of the tagged packet in the event.

>From there the only reference is the event_id, but since event_id can
wrap is it really reliable?

Mabey my understanding of the code flow is wrong?

-elz




More information about the Snort-devel mailing list