[Snort-devel] Unified2 with EXTRA_DATA fields

Jaime Blasco jaime.blasco at ...3060...
Fri May 25 04:49:25 EDT 2012


Hi,

Yes, that is the obvious solution. The problem is that the system will be
slowed down using that approach. is there any plan to include a flag on the
Packet data to show the Packet will have an associated ExtraData?

Best Regards

On Fri, May 25, 2012 at 6:21 AM, beenph <beenph at ...2499...> wrote:

> On Thu, May 24, 2012 at 7:14 AM, Jaime Blasco
> <jaime.blasco at ...3060...> wrote:
> > Hi,
> >
> > I want to explain a problem that we have while adapting our Unified2
> parser
> > to the new extra-data fields.
> >
> > The problem is that when you want to parse the vents in real time you
> don't
> > have a way to know if the Event will have an ExtraData later in the file.
> >
>
> Either keep a cache of events that previously happened or handle it in
> your storage backend.
>
> -elz
>



-- 
_______________________________

Jaime Blasco

AlienVault Labs Manager

www.ossim.com
labs.alienvault.com
Email: jaime.blasco at ...3060...

http://twitter.com/jaimeblascob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120525/677b688e/attachment.html>


More information about the Snort-devel mailing list