Snort mailing list archives

Re: Unified2 Record Order

From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 6 Jun 2011 12:27:00 -0400

We've already got one or two related bug fixes on logging / tagging for
291.  I'll see if it addresses this issue.

On Mon, Jun 6, 2011 at 11:55 AM, beenph <beenph () gmail com> wrote:

On Mon, Jun 6, 2011 at 11:32 AM, Steven Sturges <ssturges () sourcefire com>
wrote:

I see what you're getting at there... I was thinking you were
talking about the correlation of multiple packet events to the
related event data itself.

It looks like a bug that CallLogFuncs shouldn't set change that
data if the event is from a TAG event.  We'll look into it.

-s


The ultimate goal is to make correlation easyer by a process reading
unified2 file (in this case barnyard2) but this could apply to other
unified2 readers also
But lets say i want to correlate, and that i assume that  snort
internal event_id
can wrap, i need more variables to generate my key but in this context
if we use time
(generated event time) its obviously gonna miss in the case of tagged
packets.

I didin't look if there was other cases where this could happen but i
assume its possible.

Would it be logical for snort to write to unified2 file when an event
is no longer valid, sort of like
an outside pruning mechanism that would allow unified2 readers to be
aware that an event is no longer
being referenced by the IDS process?

-elz


------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with
vRanger.
Installation's a snap, and flexible recovery options mean your data is
safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today.
http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Unified2 Record Order firnsy (Jun 03)
- Re: Unified2 Record Order Steven Sturges (Jun 04)
  - Re: Unified2 Record Order beenph (Jun 04)
    - Re: Unified2 Record Order beenph (Jun 04)
    - Re: Unified2 Record Order Steven Sturges (Jun 06)
    - Re: Unified2 Record Order beenph (Jun 06)
    - Re: Unified2 Record Order Steven Sturges (Jun 06)
    - Re: Unified2 Record Order beenph (Jun 06)
    - Re: Unified2 Record Order Russ Combs (Jun 06)
    - Re: Unified2 Record Order Russ Combs (Jun 06)
    - Re: Unified2 Record Order Steven Sturges (Jun 04)