Snort mailing list archives

Re: Unified2 Record Order

From: Steven Sturges <ssturges () sourcefire com>
Date: Mon, 06 Jun 2011 11:32:41 -0400

I see what you're getting at there... I was thinking you were
talking about the correlation of multiple packet events to the
related event data itself.

It looks like a bug that CallLogFuncs shouldn't set change that
data if the event is from a TAG event.  We'll look into it.

-s

On 6/6/11 11:12 AM, beenph wrote:

On Mon, Jun 6, 2011 at 10:43 AM, Steven Sturges<ssturges () sourcefire com>  wrote:

This is already there within the unified2 packet event structure.
There are fields for the event_id and both the seconds from the
origianal event, as well as the packet timestamp.

typedef struct _Serial_Unified2Packet
{
    uint32_t sensor_id;
    uint32_t event_id;
    uint32_t event_second;
    uint32_t packet_second;
    uint32_t packet_microsecond;
    uint32_t linktype;
    uint32_t packet_length;
    uint8_t packet_data[4];
} Serial_Unified2Packet;


Well this touch what i was trying to express from my understanding,
but if you look how a call to
CheckTagging in Decode.c unwind, it will call CheckTagList .

If a event is found, CheckTagList will set reference time and event id
from "returned" event.
tag.c CheckTagList(Packet *p, Event *event)
<SNIP>
  if (create_event)
         {
             /* set the event info */
             SetEvent(event, GENERATOR_TAG, TAG_LOG_PKT, 1, 1, 1,
                     returned->event_id);
             /* set event reference details */
             event->ref_time.tv_sec = returned->event_time.tv_sec;
             event->ref_time.tv_usec = returned->event_time.tv_usec;
             event->event_reference = returned->event_id | ScEventLogId();
         }
</SNIP>

Then CheckTagging will call CallLogFuncs
And it will do the following

event->ref_time.tv_sec = p->pkth->ts.tv_sec;
  event->ref_time.tv_usec = p->pkth->ts.tv_usec;

From my understanding this will remove reference set by CheckTagList to put back

time of the tagged packet in the event.

From there the only reference is the event_id, but since event_id can

wrap is it really reliable?

Mabey my understanding of the code flow is wrong?

-elz


------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Unified2 Record Order firnsy (Jun 03)
- Re: Unified2 Record Order Steven Sturges (Jun 04)
  - Re: Unified2 Record Order beenph (Jun 04)
    - Re: Unified2 Record Order beenph (Jun 04)
    - Re: Unified2 Record Order Steven Sturges (Jun 06)
    - Re: Unified2 Record Order beenph (Jun 06)
    - Re: Unified2 Record Order Steven Sturges (Jun 06)
    - Re: Unified2 Record Order beenph (Jun 06)
    - Re: Unified2 Record Order Russ Combs (Jun 06)
    - Re: Unified2 Record Order Russ Combs (Jun 06)
    - Re: Unified2 Record Order Steven Sturges (Jun 04)