sebek pid rollover

["Frank S Posluszny, III" <fsp () mitre org>]

I'm assuming this is a known problem, since the /usr/sbin/sebekd.pl
script on a Honeywall roo install has a comment in it about needing to
work around the "pid rollover" issue.  And yet, I haven't been able to
find anything more about it on the honeynet bug server or the almighty
Google.

Anyone else working on this problem?

I'm thinking a real fix would be to include more information about the
process, such as start time, in the sebek packet; but that would require
yet another change to the protocol.

One possible work-around might be to assume it is highly unlikely for
two processes to have the same PID, PPID, and command name.  Then the
comparison can be on all three before deciding if it is data for a new
process or an old one.

Thoughts?

-Frank P