Snort mailing list archives
Re: Unified2 Record Order
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 6 Jun 2011 16:35:55 -0400
Turns out this was still unresolved. We're opening a bug. Thanks for reporting it. On Mon, Jun 6, 2011 at 12:27 PM, Russ Combs <rcombs () sourcefire com> wrote:
We've already got one or two related bug fixes on logging / tagging for 291. I'll see if it addresses this issue. On Mon, Jun 6, 2011 at 11:55 AM, beenph <beenph () gmail com> wrote:On Mon, Jun 6, 2011 at 11:32 AM, Steven Sturges <ssturges () sourcefire com> wrote:I see what you're getting at there... I was thinking you were talking about the correlation of multiple packet events to the related event data itself. It looks like a bug that CallLogFuncs shouldn't set change that data if the event is from a TAG event. We'll look into it. -sThe ultimate goal is to make correlation easyer by a process reading unified2 file (in this case barnyard2) but this could apply to other unified2 readers also But lets say i want to correlate, and that i assume that snort internal event_id can wrap, i need more variables to generate my key but in this context if we use time (generated event time) its obviously gonna miss in the case of tagged packets. I didin't look if there was other cases where this could happen but i assume its possible. Would it be logical for snort to write to unified2 file when an event is no longer valid, sort of like an outside pruning mechanism that would allow unified2 readers to be aware that an event is no longer being referenced by the IDS process? -elz ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Unified2 Record Order firnsy (Jun 03)
- Re: Unified2 Record Order Steven Sturges (Jun 04)
- Re: Unified2 Record Order beenph (Jun 04)
- Re: Unified2 Record Order beenph (Jun 04)
- Re: Unified2 Record Order Steven Sturges (Jun 06)
- Re: Unified2 Record Order beenph (Jun 06)
- Re: Unified2 Record Order Steven Sturges (Jun 06)
- Re: Unified2 Record Order beenph (Jun 06)
- Re: Unified2 Record Order Russ Combs (Jun 06)
- Re: Unified2 Record Order Russ Combs (Jun 06)
- Re: Unified2 Record Order beenph (Jun 04)
- Re: Unified2 Record Order Steven Sturges (Jun 04)
- Re: Unified2 Record Order Steven Sturges (Jun 04)