Snort mailing list archives
Re: Unified2 with EXTRA_DATA fields
From: Steven Sturges <ssturges () sourcefire com>
Date: Fri, 25 May 2012 09:23:47 -0400
Hi Jamie-- The issue is that when an event is logged, Snort may not have seen enough of the connection to know that there will be extra data logged. To do this, Snort would need to hold on to more packets before logging an event, which is not optimal in terms of memory or performance. Snort does provide linking information in the extra data structure, so that it can easily be associated w/ the event itself, so as Eric suggests, doing that in the back-end/event storage is the best option. Cheers. -steve On 5/25/12 4:49 AM, Jaime Blasco wrote:
Hi, Yes, that is the obvious solution. The problem is that the system will be slowed down using that approach. is there any plan to include a flag on the Packet data to show the Packet will have an associated ExtraData? Best Regards On Fri, May 25, 2012 at 6:21 AM, beenph <beenph () gmail com <mailto:beenph () gmail com>> wrote: On Thu, May 24, 2012 at 7:14 AM, Jaime Blasco <jaime.blasco () alienvault com <mailto:jaime.blasco () alienvault com>> wrote: > Hi, > > I want to explain a problem that we have while adapting our Unified2 parser > to the new extra-data fields. > > The problem is that when you want to parse the vents in real time you don't > have a way to know if the Event will have an ExtraData later in the file. > Either keep a cache of events that previously happened or handle it in your storage backend. -elz -- _______________________________ Jaime Blasco AlienVault Labs Manager www.ossim.com <http://www.ossim.com> labs.alienvault.com <http://labs.alienvault.com> Email: jaime.blasco () alienvault com <mailto:jaime.blasco () alienvault com> http://twitter.com/jaimeblascob ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Unified2 with EXTRA_DATA fields Jaime Blasco (May 24)
- Re: Unified2 with EXTRA_DATA fields beenph (May 24)
- Re: Unified2 with EXTRA_DATA fields Jaime Blasco (May 25)
- Re: Unified2 with EXTRA_DATA fields Steven Sturges (May 25)
- Re: Unified2 with EXTRA_DATA fields Jaime Blasco (May 25)
- Re: Unified2 with EXTRA_DATA fields beenph (May 24)