Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unified2 Record Order

From: Steven Sturges <ssturges () sourcefire com>
Date: Sat, 04 Jun 2011 11:44:09 -0400
Yes, this is possible... When tagging packets associated with
events, subsequent packets are logged as they arrive, and could
be interspersed with other events and packets.

Within the unified2 structure, there is an event ID, and all
data associated with a unique event are logged with that event ID.

That includes the event itself, any associated packets, as well
as extra data events (eg, X-Forwarded-For data from HTTP that was
added in 2.9.0).

Hope this helps.

Cheers.
-steve

On 6/3/11 6:10 PM, firnsy wrote:

G'day Snort dev,

I need some clarification regarding the record order in unified2 files.

Is it possible to receive a Packet record (1) at a later stage in the
file that is associated with an earlier Event (A) record, which has a
number of unrelated Event (B,C, ...) and Packet (2, 3, ...) records in
between?

For example (hopefully it makes sense):

...A1111B2C3D44444441E5 ...

I have the feeling I've seen this before, and it was a packet from a
portscan even that occurred previously, but other events had occurred
(and had been written) in between. This was a long time ago though, and
I'm now kinda doubting if I saw it at all.

It seems entirely possible this can happen, particularly with portscan
events/packets, but I just want to make sure.

Regards,
firnsy

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today.
http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel



------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: