[Snort-users] Fwd: Re: barnyard2-1.10 major problem

beenph beenph at ...11827...
Thu Oct 25 12:02:53 EDT 2012


On Thu, Oct 25, 2012 at 11:57 AM, Lawrence R. Hughes, Sr.
<lhughes at ...14822...> wrote:
> Beenph,
>
> So what I see and correct me if I am wrong, you take a single event from
> snort that has 2 packets and create 2 seperate events in the database.
>
> So if i had a single event from snort that has 6 packets that are all listed
> with the same event_id barnyard would create 6 events in snort.event
> database correct?
>
> If this is the case, please explain why you would break the packets from a
> single event into several events.
>
Thats exact.

We do not break anything up, it logged to the database as its present
in the unified2 file
UNIFIED2_RECORD_HEADER
EVENT X
UNIFIED2_RECORD_HEADER
PACKET1  EVENT X
UNIFIED2_RECORD_HEADER
PACKET2  EVENT X
UNIFIED2_RECORD_HEADER
PACKETN EVENT X

-elz




More information about the Snort-users mailing list