Snort mailing list archives

Re: Unified2 Record Order

From: beenph <beenph () gmail com>
Date: Mon, 6 Jun 2011 11:12:47 -0400

On Mon, Jun 6, 2011 at 10:43 AM, Steven Sturges <ssturges () sourcefire com> wrote:

This is already there within the unified2 packet event structure.
There are fields for the event_id and both the seconds from the
origianal event, as well as the packet timestamp.

typedef struct _Serial_Unified2Packet
{
   uint32_t sensor_id;
   uint32_t event_id;
   uint32_t event_second;
   uint32_t packet_second;
   uint32_t packet_microsecond;
   uint32_t linktype;
   uint32_t packet_length;
   uint8_t packet_data[4];
} Serial_Unified2Packet;


Well this touch what i was trying to express from my understanding,
but if you look how a call to
CheckTagging in Decode.c unwind, it will call CheckTagList .

If a event is found, CheckTagList will set reference time and event id
from "returned" event.
tag.c CheckTagList(Packet *p, Event *event)
<SNIP>
 if (create_event)
        {
            /* set the event info */
            SetEvent(event, GENERATOR_TAG, TAG_LOG_PKT, 1, 1, 1,
                    returned->event_id);
            /* set event reference details */
            event->ref_time.tv_sec = returned->event_time.tv_sec;
            event->ref_time.tv_usec = returned->event_time.tv_usec;
            event->event_reference = returned->event_id | ScEventLogId();
        }
</SNIP>

Then CheckTagging will call CallLogFuncs
And it will do the following

event->ref_time.tv_sec = p->pkth->ts.tv_sec;
 event->ref_time.tv_usec = p->pkth->ts.tv_usec;

From my understanding this will remove reference set by CheckTagList to put back

time of the tagged packet in the event.

From there the only reference is the event_id, but since event_id can

wrap is it really reliable?

Mabey my understanding of the code flow is wrong?

-elz

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Unified2 Record Order firnsy (Jun 03)
- Re: Unified2 Record Order Steven Sturges (Jun 04)
  - Re: Unified2 Record Order beenph (Jun 04)
    - Re: Unified2 Record Order beenph (Jun 04)
    - Re: Unified2 Record Order Steven Sturges (Jun 06)
    - Re: Unified2 Record Order beenph (Jun 06)
    - Re: Unified2 Record Order Steven Sturges (Jun 06)
    - Re: Unified2 Record Order beenph (Jun 06)
    - Re: Unified2 Record Order Russ Combs (Jun 06)
    - Re: Unified2 Record Order Russ Combs (Jun 06)
    - Re: Unified2 Record Order Steven Sturges (Jun 04)