Snort mailing list archives
Re: Unified2 Record Order
From: Steven Sturges <ssturges () sourcefire com>
Date: Sat, 04 Jun 2011 11:44:09 -0400
Yes, this is possible... When tagging packets associated with events, subsequent packets are logged as they arrive, and could be interspersed with other events and packets. Within the unified2 structure, there is an event ID, and all data associated with a unique event are logged with that event ID. That includes the event itself, any associated packets, as well as extra data events (eg, X-Forwarded-For data from HTTP that was added in 2.9.0). Hope this helps. Cheers. -steve On 6/3/11 6:10 PM, firnsy wrote:
G'day Snort dev, I need some clarification regarding the record order in unified2 files. Is it possible to receive a Packet record (1) at a later stage in the file that is associated with an earlier Event (A) record, which has a number of unrelated Event (B,C, ...) and Packet (2, 3, ...) records in between? For example (hopefully it makes sense): ...A1111B2C3D44444441E5 ... I have the feeling I've seen this before, and it was a packet from a portscan even that occurred previously, but other events had occurred (and had been written) in between. This was a long time ago though, and I'm now kinda doubting if I saw it at all. It seems entirely possible this can happen, particularly with portscan events/packets, but I just want to make sure. Regards, firnsy ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Unified2 Record Order firnsy (Jun 03)
- Re: Unified2 Record Order Steven Sturges (Jun 04)
- Re: Unified2 Record Order beenph (Jun 04)
- Re: Unified2 Record Order beenph (Jun 04)
- Re: Unified2 Record Order Steven Sturges (Jun 06)
- Re: Unified2 Record Order beenph (Jun 06)
- Re: Unified2 Record Order Steven Sturges (Jun 06)
- Re: Unified2 Record Order beenph (Jun 06)
- Re: Unified2 Record Order Russ Combs (Jun 06)
- Re: Unified2 Record Order Russ Combs (Jun 06)
- Re: Unified2 Record Order beenph (Jun 04)
- Re: Unified2 Record Order Steven Sturges (Jun 04)
- Re: Unified2 Record Order Steven Sturges (Jun 04)