Re: Unified2 Record Order

[beenph <beenph () gmail com>]

On Sat, Jun 4, 2011 at 11:44 AM, Steven Sturges <ssturges () sourcefire com> wrote:
> Yes, this is possible... When tagging packets associated with
> events, subsequent packets are logged as they arrive, and could
> be interspersed with other events and packets.

> Within the unified2 structure, there is an event ID, and all
> data associated with a unique event are logged with that event ID.
>
> That includes the event itself, any associated packets, as well
> as extra data events (eg, X-Forwarded-For data from HTTP that was
> added in 2.9.0).
>
> Hope this helps.
>
> Cheers.
> -steve


But events they way they are logged are logged with a event header and
a packet header if needed right?


[UNIFIED2 EVENT 1]
[UNIFIED2 PACKET 1]

[UNIFIED2 EVENT 2]
[UNIFIED2 PACKET 2]

[UNIFIED2 EVENT 3]
[UNIFIED2 PACKET 3]


And not

[UNIFIED2 EVENT 1]
[UNIFIED2 EVENT 2]

[UNIFIED2 EVENT 3]
[UNIFIED2 PACKET 2]
[UNIFIED2 PACKET 3]
[UNIFIED2 PACKET 1]


Right?

Thanks in advance.
-elz

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel