Snort mailing list archives
Re: Barnyard, Mudpit, and the Unified Output Format
From: Andreas Östling <andreaso () it su se>
Date: Wed, 25 Aug 2004 19:59:28 +0200 (CEST)
Maybe it's getting a bit off-topic, but I thought I'd mention that I think having tagged packets in the db can be useful even if each one creates a new event, although it would would be nicer if it was done in a better way. I doubt it would ever be useful in ACID, but I created a simple patch for Sguil so you can query an alert for related tagged packets (qualified guess), or packets belonging to the same session as the alert, and then create some output from it. Sample screenshot is at http://people.su.se/~andreaso/sguiltmp/ /Andreas On Tuesday 24 August 2004 15:27, Alex Butcher, ISC/ISYS wrote:
I emailed the list a while back about how tagging works in conjunction with unified logging and spool processors. Andrew Baker (barnyard author) wrote: The unified output plugins definitely support the tag option. When tagging is enabled, all of the tagged packets will be written to the unified log file. Additionally, with recent versions of Snort, if an alert is triggered on a reassembled stream, then all of the packets for the stream will also be written to the unified log file. While I cannot speak for mudpit, Barnyard will process the tagged packets. However, how the are processed is up to the discretion of each output plug-in. I do know that the ACID database output plugin in Barnyard does not treat tagged packets properly. IIRC, each tagged packet will become a new event entry in the database instead of having all the packets associated with a single event. This is a limitation of the database design since it significantly predates tagged packet support. -A
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard, Mudpit, and the Unified Output Format M Shirk (Aug 24)
- Re: Barnyard, Mudpit, and the Unified Output Format Alex Butcher, ISC/ISYS (Aug 24)
- Re: Barnyard, Mudpit, and the Unified Output Format Dirk Geschke (Aug 24)
- <Possible follow-ups>
- Re: Barnyard, Mudpit, and the Unified Output Format Andreas Östling (Aug 25)