Re: Unified2 Record Order

[beenph <beenph () gmail com>]

On Mon, Jun 6, 2011 at 11:32 AM, Steven Sturges <ssturges () sourcefire com> wrote:
> I see what you're getting at there... I was thinking you were
> talking about the correlation of multiple packet events to the
> related event data itself.
>
> It looks like a bug that CallLogFuncs shouldn't set change that
> data if the event is from a TAG event.  We'll look into it.
>
> -s

The ultimate goal is to make correlation easyer by a process reading
unified2 file (in this case barnyard2) but this could apply to other
unified2 readers also
But lets say i want to correlate, and that i assume that  snort
internal event_id
can wrap, i need more variables to generate my key but in this context
if we use time
(generated event time) its obviously gonna miss in the case of tagged packets.

I didin't look if there was other cases where this could happen but i
assume its possible.

Would it be logical for snort to write to unified2 file when an event
is no longer valid, sort of like
an outside pruning mechanism that would allow unified2 readers to be
aware that an event is no longer
being referenced by the IDS process?

-elz

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel