[Snort-devel] Unified2 Record Order

Russ Combs rcombs at ...402...
Mon Jun 6 12:27:00 EDT 2011


We've already got one or two related bug fixes on logging / tagging for
291.  I'll see if it addresses this issue.

On Mon, Jun 6, 2011 at 11:55 AM, beenph <beenph at ...2499...> wrote:

> On Mon, Jun 6, 2011 at 11:32 AM, Steven Sturges <ssturges at ...402...>
> wrote:
> > I see what you're getting at there... I was thinking you were
> > talking about the correlation of multiple packet events to the
> > related event data itself.
> >
> > It looks like a bug that CallLogFuncs shouldn't set change that
> > data if the event is from a TAG event.  We'll look into it.
> >
> > -s
>
> The ultimate goal is to make correlation easyer by a process reading
> unified2 file (in this case barnyard2) but this could apply to other
> unified2 readers also
> But lets say i want to correlate, and that i assume that  snort
> internal event_id
> can wrap, i need more variables to generate my key but in this context
> if we use time
> (generated event time) its obviously gonna miss in the case of tagged
> packets.
>
> I didin't look if there was other cases where this could happen but i
> assume its possible.
>
> Would it be logical for snort to write to unified2 file when an event
> is no longer valid, sort of like
> an outside pruning mechanism that would allow unified2 readers to be
> aware that an event is no longer
> being referenced by the IDS process?
>
> -elz
>
>
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with
> vRanger.
> Installation's a snap, and flexible recovery options mean your data is
> safe,
> secure and there when you need it. Discover what all the cheering's about.
> Get your free trial download today.
> http://p.sf.net/sfu/quest-dev2dev2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110606/345d386a/attachment.html>


More information about the Snort-devel mailing list