[Snort-devel] Unified2 with EXTRA_DATA fields
jaime.blasco at ...3060...
Fri May 25 04:49:25 EDT 2012
Yes, that is the obvious solution. The problem is that the system will be
slowed down using that approach. is there any plan to include a flag on the
Packet data to show the Packet will have an associated ExtraData?
On Fri, May 25, 2012 at 6:21 AM, beenph <beenph at ...2499...> wrote:
> On Thu, May 24, 2012 at 7:14 AM, Jaime Blasco
> <jaime.blasco at ...3060...> wrote:
> > Hi,
> > I want to explain a problem that we have while adapting our Unified2
> > to the new extra-data fields.
> > The problem is that when you want to parse the vents in real time you
> > have a way to know if the Event will have an ExtraData later in the file.
> Either keep a cache of events that previously happened or handle it in
> your storage backend.
AlienVault Labs Manager
Email: jaime.blasco at ...3060...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel