Re: Unified2 with EXTRA_DATA fields

[Jaime Blasco <jaime.blasco () alienvault com>]

Hi,

Yes, that is the obvious solution. The problem is that the system will be
slowed down using that approach. is there any plan to include a flag on the
Packet data to show the Packet will have an associated ExtraData?

Best Regards

On Fri, May 25, 2012 at 6:21 AM, beenph <beenph () gmail com> wrote:

> On Thu, May 24, 2012 at 7:14 AM, Jaime Blasco
> <jaime.blasco () alienvault com> wrote:
> > Hi,
> >
> > I want to explain a problem that we have while adapting our Unified2
> parser
> > to the new extra-data fields.
> >
> > The problem is that when you want to parse the vents in real time you
> don't
> > have a way to know if the Event will have an ExtraData later in the file.
>
> Either keep a cache of events that previously happened or handle it in
> your storage backend.
>
> -elz



-- 
_______________________________

Jaime Blasco

AlienVault Labs Manager

www.ossim.com
labs.alienvault.com
Email: jaime.blasco () alienvault com

http://twitter.com/jaimeblascob

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!