[Snort-devel] Unified2 Record Order

beenph beenph at ...2499...
Mon Jun 6 11:55:12 EDT 2011


On Mon, Jun 6, 2011 at 11:32 AM, Steven Sturges <ssturges at ...402...> wrote:
> I see what you're getting at there... I was thinking you were
> talking about the correlation of multiple packet events to the
> related event data itself.
>
> It looks like a bug that CallLogFuncs shouldn't set change that
> data if the event is from a TAG event.  We'll look into it.
>
> -s

The ultimate goal is to make correlation easyer by a process reading
unified2 file (in this case barnyard2) but this could apply to other
unified2 readers also
But lets say i want to correlate, and that i assume that  snort
internal event_id
can wrap, i need more variables to generate my key but in this context
if we use time
(generated event time) its obviously gonna miss in the case of tagged packets.

I didin't look if there was other cases where this could happen but i
assume its possible.

Would it be logical for snort to write to unified2 file when an event
is no longer valid, sort of like
an outside pruning mechanism that would allow unified2 readers to be
aware that an event is no longer
being referenced by the IDS process?

-elz




More information about the Snort-devel mailing list