[Snort-devel] Unified2 Record Order

Steven Sturges ssturges at ...402...
Mon Jun 6 11:32:41 EDT 2011


I see what you're getting at there... I was thinking you were
talking about the correlation of multiple packet events to the
related event data itself.

It looks like a bug that CallLogFuncs shouldn't set change that
data if the event is from a TAG event.  We'll look into it.

-s

On 6/6/11 11:12 AM, beenph wrote:
> On Mon, Jun 6, 2011 at 10:43 AM, Steven Sturges<ssturges at ...402...>  wrote:
>> This is already there within the unified2 packet event structure.
>> There are fields for the event_id and both the seconds from the
>> origianal event, as well as the packet timestamp.
>>
>> typedef struct _Serial_Unified2Packet
>> {
>>     uint32_t sensor_id;
>>     uint32_t event_id;
>>     uint32_t event_second;
>>     uint32_t packet_second;
>>     uint32_t packet_microsecond;
>>     uint32_t linktype;
>>     uint32_t packet_length;
>>     uint8_t packet_data[4];
>> } Serial_Unified2Packet;
>>
>
> Well this touch what i was trying to express from my understanding,
> but if you look how a call to
> CheckTagging in Decode.c unwind, it will call CheckTagList .
>
> If a event is found, CheckTagList will set reference time and event id
> from "returned" event.
> tag.c CheckTagList(Packet *p, Event *event)
> <SNIP>
>   if (create_event)
>          {
>              /* set the event info */
>              SetEvent(event, GENERATOR_TAG, TAG_LOG_PKT, 1, 1, 1,
>                      returned->event_id);
>              /* set event reference details */
>              event->ref_time.tv_sec = returned->event_time.tv_sec;
>              event->ref_time.tv_usec = returned->event_time.tv_usec;
>              event->event_reference = returned->event_id | ScEventLogId();
>          }
> </SNIP>
>
> Then CheckTagging will call CallLogFuncs
> And it will do the following
>
> event->ref_time.tv_sec = p->pkth->ts.tv_sec;
>   event->ref_time.tv_usec = p->pkth->ts.tv_usec;
>
>> From my understanding this will remove reference set by CheckTagList to put back
> time of the tagged packet in the event.
>
>> From there the only reference is the event_id, but since event_id can
> wrap is it really reliable?
>
> Mabey my understanding of the code flow is wrong?
>
> -elz
>




More information about the Snort-devel mailing list