Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Unified2 Record Order

From: firnsy <firnsy () securixlive com>
Date: Sat, 04 Jun 2011 08:10:39 +1000
G'day Snort dev,

I need some clarification regarding the record order in unified2 files.

Is it possible to receive a Packet record (1) at a later stage in the 
file that is associated with an earlier Event (A) record, which has a 
number of unrelated Event (B,C, ...) and Packet (2, 3, ...) records in 
between?

For example (hopefully it makes sense):

...A1111B2C3D44444441E5 ...

I have the feeling I've seen this before, and it was a packet from a 
portscan even that occurred previously, but other events had occurred 
(and had been written) in between. This was a long time ago though, and 
I'm now kinda doubting if I saw it at all.

It seems entirely possible this can happen, particularly with portscan 
events/packets, but I just want to make sure.

Regards,
firnsy

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: