[Snort-devel] Unified2 with EXTRA_DATA fields

Steven Sturges ssturges at ...402...
Fri May 25 09:23:47 EDT 2012


Hi Jamie--

The issue is that when an event is logged, Snort may not have seen
enough of the connection to know that there will be extra data logged.
To do this, Snort would need to hold on to more packets before logging
an event, which is not optimal in terms of memory or performance.

Snort does provide linking information in the extra data structure,
so that it can easily be associated w/ the event itself, so as Eric
suggests, doing that in the back-end/event storage is the best option.

Cheers.
-steve

On 5/25/12 4:49 AM, Jaime Blasco wrote:
> Hi,
>
> Yes, that is the obvious solution. The problem is that the system will
> be slowed down using that approach. is there any plan to include a flag
> on the Packet data to show the Packet will have an associated ExtraData?
>
> Best Regards
>
> On Fri, May 25, 2012 at 6:21 AM, beenph <beenph at ...2499...
> <mailto:beenph at ...2499...>> wrote:
>
>     On Thu, May 24, 2012 at 7:14 AM, Jaime Blasco
>     <jaime.blasco at ...3060... <mailto:jaime.blasco at ...3060...>>
>     wrote:
>      > Hi,
>      >
>      > I want to explain a problem that we have while adapting our
>     Unified2 parser
>      > to the new extra-data fields.
>      >
>      > The problem is that when you want to parse the vents in real time
>     you don't
>      > have a way to know if the Event will have an ExtraData later in
>     the file.
>      >
>
>     Either keep a cache of events that previously happened or handle it in
>     your storage backend.
>
>     -elz
>
>
>
>
> --
> _______________________________
>
> Jaime Blasco
>
> AlienVault Labs Manager
>
> www.ossim.com <http://www.ossim.com>
> labs.alienvault.com <http://labs.alienvault.com>
> Email: jaime.blasco at ...3060... <mailto:jaime.blasco at ...3060...>
>
> http://twitter.com/jaimeblascob
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list