Snort mailing list archives
Re: Unified2 Record Order
From: Steven Sturges <ssturges () sourcefire com>
Date: Sat, 04 Jun 2011 18:15:06 -0400
Generally that is true. However if there is more than one packet logged with an event, others may be logged later. On 6/4/11 12:08 PM, beenph wrote:
On Sat, Jun 4, 2011 at 11:44 AM, Steven Sturges<ssturges () sourcefire com> wrote:Yes, this is possible... When tagging packets associated with events, subsequent packets are logged as they arrive, and could be interspersed with other events and packets.Within the unified2 structure, there is an event ID, and all data associated with a unique event are logged with that event ID. That includes the event itself, any associated packets, as well as extra data events (eg, X-Forwarded-For data from HTTP that was added in 2.9.0). Hope this helps. Cheers. -steveBut events they way they are logged are logged with a event header and a packet header if needed right? [UNIFIED2 EVENT 1] [UNIFIED2 PACKET 1] [UNIFIED2 EVENT 2] [UNIFIED2 PACKET 2] [UNIFIED2 EVENT 3] [UNIFIED2 PACKET 3] And not [UNIFIED2 EVENT 1] [UNIFIED2 EVENT 2] [UNIFIED2 EVENT 3] [UNIFIED2 PACKET 2] [UNIFIED2 PACKET 3] [UNIFIED2 PACKET 1] Right? Thanks in advance. -elz
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Unified2 Record Order firnsy (Jun 03)
- Re: Unified2 Record Order Steven Sturges (Jun 04)
- Re: Unified2 Record Order beenph (Jun 04)
- Re: Unified2 Record Order beenph (Jun 04)
- Re: Unified2 Record Order Steven Sturges (Jun 06)
- Re: Unified2 Record Order beenph (Jun 06)
- Re: Unified2 Record Order Steven Sturges (Jun 06)
- Re: Unified2 Record Order beenph (Jun 06)
- Re: Unified2 Record Order Russ Combs (Jun 06)
- Re: Unified2 Record Order Russ Combs (Jun 06)
- Re: Unified2 Record Order beenph (Jun 04)
- Re: Unified2 Record Order Steven Sturges (Jun 04)
- Re: Unified2 Record Order Steven Sturges (Jun 04)