[Snort-devel] Unified2 with EXTRA_DATA fields

beenph beenph at ...2499...
Fri May 25 00:21:17 EDT 2012


On Thu, May 24, 2012 at 7:14 AM, Jaime Blasco
<jaime.blasco at ...3060...> wrote:
> Hi,
>
> I want to explain a problem that we have while adapting our Unified2 parser
> to the new extra-data fields.
>
> The problem is that when you want to parse the vents in real time you don't
> have a way to know if the Event will have an ExtraData later in the file.
>

Either keep a cache of events that previously happened or handle it in
your storage backend.

-elz




More information about the Snort-devel mailing list