[Snort-users] Fwd: Re: barnyard2-1.10 major problem

beenph beenph at ...11827...
Thu Oct 25 09:18:51 EDT 2012


On Thu, Oct 25, 2012 at 9:13 AM, Jack <kingofnerds at ...11827...> wrote:
> ---------- Forwarded message ----------
> From: "Jack" <kingofnerds at ...11827...>
> Date: Oct 25, 2012 9:11 AM
> Subject: Re: [Snort-users] barnyard2-1.10 major problem
> To: "beenph" <beenph at ...11827...>
>
> Last time I enabled the alert on each packet, I just got more alerts,  what
> I think is being requested is to have all the packets in a single alert for
> one event



On Thu, Oct 25, 2012 at 9:11 AM, Jack <kingofnerds at ...11827...> wrote:
> Last time I enabled the alert on each packet, I just got more alerts,  what
> I think is being requested is to have all the packets in a single alert for
> one event

Thats not really the way it works.

Since a event can have multiple packet.

At the output plugin level, the output plugin expect a event structure
and a packet structure.

What the cache does is cache the event structure and when a packet
matching a previously triggered
event it will call the output plugin with the associated event
structure (event record) and the current processed packet.

So its the expected behavior.

The reason i didin't click right away is that the 2.2 spooler like
this by default. and does not need any command line argument.

-elz




More information about the Snort-users mailing list