[Snort-users] Fwd: Re: barnyard2-1.10 major problem

Safwat Fahmy safwat.fahmy at ...14822...
Thu Oct 25 13:05:19 EDT 2012


Can you please explain to me how the schema cause this issue if BY2 delivers
2 separate events not one event with two assembled packet?

This might help me understand better to find a work around 

Safwat 







-----Original Message-----
From: beenph [mailto:beenph at ...11827...] 
Sent: Thursday, October 25, 2012 12:46 PM
To: Lawrence R. Hughes, Sr.
Cc: barnyard2-users at ...14071...; snort-users
Subject: Re: [Snort-users] Fwd: Re: barnyard2-1.10 major problem

u2spewfoo show it as  1 event  two packet.

Look
>        sensor id: 0    event id: 1     event second: 1350903278
>        packet second: 1350903278       packet microsecond: 178786
>        linktype: 1     packet_length: 449

>        sensor id: 0    event id: 1     event second: 1350903278
>        packet second: 1350903278       packet microsecond: 300156
>        linktype: 1     packet_length: 381


> You have it all wrong beenph!
> Just ask the guys at SF the above should be treated as a single event with
2
> packets.

Its how its treated.

1 event 2 packet

But with the current database schema its logged as two full event.

The problem you highlight is not the spooler. It is the  Default
database schema.
If you use that schema in your commercial activities you have to
deal/understand with its restrictions.

The new schema will handle this without an issue. In the meantime you
can probably
correlate this writing a smart query.

Cheers,
-elz

----------------------------------------------------------------------------
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!





More information about the Snort-users mailing list