[Snort-users] Fwd: Re: barnyard2-1.10 major problem

Lawrence R. Hughes, Sr. lhughes at ...14822...
Thu Oct 25 12:49:20 EDT 2012


Where is the new schema you mentioned?

----- Original Message ----- 
From: "beenph" <beenph at ...11827...>
To: "Lawrence R. Hughes, Sr." <lhughes at ...14822...>
Cc: <barnyard2-users at ...14071...>; "snort-users" 
<snort-users at lists.sourceforge.net>
Sent: Thursday, October 25, 2012 12:46 PM
Subject: Re: [Snort-users] Fwd: Re: barnyard2-1.10 major problem


> u2spewfoo show it as  1 event  two packet.
>
> Look
>>        sensor id: 0    event id: 1     event second: 1350903278
>>        packet second: 1350903278       packet microsecond: 178786
>>        linktype: 1     packet_length: 449
>
>>        sensor id: 0    event id: 1     event second: 1350903278
>>        packet second: 1350903278       packet microsecond: 300156
>>        linktype: 1     packet_length: 381
>
>
>> You have it all wrong beenph!
>> Just ask the guys at SF the above should be treated as a single event 
>> with 2
>> packets.
>
> Its how its treated.
>
> 1 event 2 packet
>
> But with the current database schema its logged as two full event.
>
> The problem you highlight is not the spooler. It is the  Default
> database schema.
> If you use that schema in your commercial activities you have to
> deal/understand with its restrictions.
>
> The new schema will handle this without an issue. In the meantime you
> can probably
> correlate this writing a smart query.
>
> Cheers,
> -elz
> 





More information about the Snort-users mailing list