Re: Fwd: Re: barnyard2-1.10 major problem

[beenph <beenph () gmail com>]

On Thu, Oct 25, 2012 at 9:13 AM, Jack <kingofnerds () gmail com> wrote:
> ---------- Forwarded message ----------
> From: "Jack" <kingofnerds () gmail com>
> Date: Oct 25, 2012 9:11 AM
> Subject: Re: [Snort-users] barnyard2-1.10 major problem
> To: "beenph" <beenph () gmail com>
>
> Last time I enabled the alert on each packet, I just got more alerts,  what
> I think is being requested is to have all the packets in a single alert for
> one event



On Thu, Oct 25, 2012 at 9:11 AM, Jack <kingofnerds () gmail com> wrote:
> Last time I enabled the alert on each packet, I just got more alerts,  what
> I think is being requested is to have all the packets in a single alert for
> one event

Thats not really the way it works.

Since a event can have multiple packet.

At the output plugin level, the output plugin expect a event structure
and a packet structure.

What the cache does is cache the event structure and when a packet
matching a previously triggered
event it will call the output plugin with the associated event
structure (event record) and the current processed packet.

So its the expected behavior.

The reason i didin't click right away is that the 2.2 spooler like
this by default. and does not need any command line argument.

-elz

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!