Snort mailing list archives

Re: Unified2 with EXTRA_DATA fields

From: beenph <beenph () gmail com>
Date: Fri, 25 May 2012 00:21:17 -0400

On Thu, May 24, 2012 at 7:14 AM, Jaime Blasco
<jaime.blasco () alienvault com> wrote:

Hi,

I want to explain a problem that we have while adapting our Unified2 parser
to the new extra-data fields.

The problem is that when you want to parse the vents in real time you don't
have a way to know if the Event will have an ExtraData later in the file.


Either keep a cache of events that previously happened or handle it in
your storage backend.

-elz

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Unified2 with EXTRA_DATA fields Jaime Blasco (May 24)
- Re: Unified2 with EXTRA_DATA fields beenph (May 24)
  - Re: Unified2 with EXTRA_DATA fields Jaime Blasco (May 25)
    - Re: Unified2 with EXTRA_DATA fields Steven Sturges (May 25)