[Snort-devel] Unified2 with EXTRA_DATA fields

Jaime Blasco jaime.blasco at ...3060...
Thu May 24 07:14:07 EDT 2012


Hi,

I want to explain a problem that we have while adapting our Unified2 parser
to the new extra-data fields.

The problem is that when you want to parse the vents in real time you don't
have a way to know if the Event will have an ExtraData later in the file.

Example:

(Event)
  1663     sensor id: 0    event id: 31    event second: 1337848659
 event microsecond: 228367
  1664     sig id: 99999   gen id: 1   revision: 1  classification: 0
  1665     priority: 0 ip source: 188.40.16.205    ip destination:
192.168.2.183
  1666     src port: 80    dest port: 49892    protocol: 6 impact_flag: 0
 blocked: 0
  1667
  1668 Packet
  1669     sensor id: 0    event id: 31    event second: 1337848659
  1670     packet second: 1337848659   packet microsecond: 228367
  1671     linktype: 1 packet_length: 1506

...
...

1768 (ExtraDataHdr)
  1769     event type: 4   event length: 62
  1770
  1771 (ExtraData)
  1772     sensor id: 0    event id: 14    event second: 1337848659
  1773     type: 9 datatype: 1 bloblength: 38  HTTP URI:
/forums/showthread.php?t=57055
  1774
  1775 (ExtraDataHdr)
  1776     event type: 4   event length: 50
  1777
  1778 (ExtraData)
  1779     sensor id: 0    event id: 14    event second: 1337848659
  1780     type: 10    datatype: 1 bloblength: 26  HTTP Hostname:
www.howtoforge.com
  1781
  1782 (ExtraDataHdr)
  1783     event type: 4   event length: 62
  1784
  1785 (ExtraData)
  1786     sensor id: 0    event id: 15    event second: 1337848659
  1787     type: 9 datatype: 1 bloblength: 38  HTTP URI:
/forums/showthread.php?t=57055
  1788
  1789 (ExtraDataHdr)
  1790     event type: 4   event length: 50
  1791
  1792 (ExtraData)
  1793     sensor id: 0    event id: 15    event second: 1337848659
  1794     type: 10    datatype: 1 bloblength: 26  HTTP Hostname:
www.howtoforge.com

...


So, is there a way of knowing if an Event will have an ExtraData entry
later?

Best Regards

-- 
_______________________________

Jaime Blasco

AlienVault Labs Manager

www.ossim.com
labs.alienvault.com
Email: jaime.blasco at ...3060...

http://twitter.com/jaimeblascob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120524/0c9b1b90/attachment.html>


More information about the Snort-devel mailing list