[Snort-users] Fwd: Re: barnyard2-1.10 major problem

beenph beenph at ...11827...
Thu Oct 25 12:46:28 EDT 2012


u2spewfoo show it as  1 event  two packet.

Look
>        sensor id: 0    event id: 1     event second: 1350903278
>        packet second: 1350903278       packet microsecond: 178786
>        linktype: 1     packet_length: 449

>        sensor id: 0    event id: 1     event second: 1350903278
>        packet second: 1350903278       packet microsecond: 300156
>        linktype: 1     packet_length: 381


> You have it all wrong beenph!
> Just ask the guys at SF the above should be treated as a single event with 2
> packets.

Its how its treated.

1 event 2 packet

But with the current database schema its logged as two full event.

The problem you highlight is not the spooler. It is the  Default
database schema.
If you use that schema in your commercial activities you have to
deal/understand with its restrictions.

The new schema will handle this without an issue. In the meantime you
can probably
correlate this writing a smart query.

Cheers,
-elz




More information about the Snort-users mailing list