Re: Unified2 with EXTRA_DATA fields

[Steven Sturges <ssturges () sourcefire com>]

Hi Jamie--

The issue is that when an event is logged, Snort may not have seen
enough of the connection to know that there will be extra data logged.
To do this, Snort would need to hold on to more packets before logging
an event, which is not optimal in terms of memory or performance.

Snort does provide linking information in the extra data structure,
so that it can easily be associated w/ the event itself, so as Eric
suggests, doing that in the back-end/event storage is the best option.

Cheers.
-steve

On 5/25/12 4:49 AM, Jaime Blasco wrote:
> Hi,
>
> Yes, that is the obvious solution. The problem is that the system will
> be slowed down using that approach. is there any plan to include a flag
> on the Packet data to show the Packet will have an associated ExtraData?
>
> Best Regards
>
> On Fri, May 25, 2012 at 6:21 AM, beenph <beenph () gmail com
> <mailto:beenph () gmail com>> wrote:
>
>     On Thu, May 24, 2012 at 7:14 AM, Jaime Blasco
>     <jaime.blasco () alienvault com <mailto:jaime.blasco () alienvault com>>
>     wrote:
>      > Hi,
>      >
>      > I want to explain a problem that we have while adapting our
>     Unified2 parser
>      > to the new extra-data fields.
>      >
>      > The problem is that when you want to parse the vents in real time
>     you don't
>      > have a way to know if the Event will have an ExtraData later in
>     the file.
>      >
>
>     Either keep a cache of events that previously happened or handle it in
>     your storage backend.
>
>     -elz
>
>
>
>
> --
> _______________________________
>
> Jaime Blasco
>
> AlienVault Labs Manager
>
> www.ossim.com <http://www.ossim.com>
> labs.alienvault.com <http://labs.alienvault.com>
> Email: jaime.blasco () alienvault com <mailto:jaime.blasco () alienvault com>
>
> http://twitter.com/jaimeblascob
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!