[Snort-devel] Unified2 Record Order

Russ Combs rcombs at ...402...
Mon Jun 6 16:35:55 EDT 2011


Turns out this was still unresolved.  We're opening a bug.  Thanks for
reporting it.

On Mon, Jun 6, 2011 at 12:27 PM, Russ Combs <rcombs at ...402...> wrote:

> We've already got one or two related bug fixes on logging / tagging for
> 291.  I'll see if it addresses this issue.
>
>
> On Mon, Jun 6, 2011 at 11:55 AM, beenph <beenph at ...2499...> wrote:
>
>> On Mon, Jun 6, 2011 at 11:32 AM, Steven Sturges <ssturges at ...402...>
>> wrote:
>> > I see what you're getting at there... I was thinking you were
>> > talking about the correlation of multiple packet events to the
>> > related event data itself.
>> >
>> > It looks like a bug that CallLogFuncs shouldn't set change that
>> > data if the event is from a TAG event.  We'll look into it.
>> >
>> > -s
>>
>> The ultimate goal is to make correlation easyer by a process reading
>> unified2 file (in this case barnyard2) but this could apply to other
>> unified2 readers also
>> But lets say i want to correlate, and that i assume that  snort
>> internal event_id
>> can wrap, i need more variables to generate my key but in this context
>> if we use time
>> (generated event time) its obviously gonna miss in the case of tagged
>> packets.
>>
>> I didin't look if there was other cases where this could happen but i
>> assume its possible.
>>
>> Would it be logical for snort to write to unified2 file when an event
>> is no longer valid, sort of like
>> an outside pruning mechanism that would allow unified2 readers to be
>> aware that an event is no longer
>> being referenced by the IDS process?
>>
>> -elz
>>
>>
>> ------------------------------------------------------------------------------
>> Simplify data backup and recovery for your virtual environment with
>> vRanger.
>> Installation's a snap, and flexible recovery options mean your data is
>> safe,
>> secure and there when you need it. Discover what all the cheering's about.
>> Get your free trial download today.
>> http://p.sf.net/sfu/quest-dev2dev2
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110606/48581543/attachment.html>


More information about the Snort-devel mailing list