<div dir="ltr">You can see my PR that did make it Snort compliant here:<div><br></div><div><a href="https://github.com/inliniac/suricata/pull/2184">https://github.com/inliniac/suricata/pull/2184</a></div><div><br></div><div>but it may have some issues that are not immediately apparent, which is why we went for a simpler fix at this time.</div><div><br></div><div>Jason<br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 16, 2017 at 9:32 AM, Jim Hranicky <span dir="ltr"><<a href="mailto:jfh@ufl.edu" target="_blank">jfh@ufl.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I can see what I can find - should I be looking in<br>
detect-engine-tag.c and/or alert-unified2-alert.c ?<br>
<br>
Jim<br>
<div><div class="gmail-h5"><br>
On 03/16/2017 11:07 AM, Jason Ish wrote:<br>
> Hi Jim,<br>
><br>
> No, nothing yet. Its not as simple as it might seem and I haven't got back<br>
> to yet.<br>
><br>
> Jason<br>
><br>
> On Wed, Mar 8, 2017 at 12:51 PM, Jim Hranicky <<a href="mailto:jfh@ufl.edu">jfh@ufl.edu</a>> wrote:<br>
><br>
>> Howdy,<br>
>><br>
>> Just checking in. Is there a change to the tagged packet logging for<br>
>> u2 still in the works?<br>
>><br>
>> Thanks,<br>
>> Jim<br>
>><br>
>> On 11/04/2016 10:07 AM, Jim Hranicky wrote:<br>
>>> On 11/03/2016 06:55 PM, Jason Ish wrote:<br>
>>><br>
>>>>> Is it possible to have the tagged packets use the same sid as<br>
>>>>> the rule they originated from?<br>
>>>><br>
>>>> Hi Jim,<br>
>>>><br>
>>>> I'm guessing you are using unified2 output? This likely won't happen<br>
>>>> as Snort's unified2 doesn't have an associated event with a tagged<br>
>>>> packet, instead you back track to the generating event using the<br>
>>>> timestamp fields.<br>
>>><br>
>>> Yes, I'm using u2/barnyard2 . I have the ability to match up events<br>
>>> based on ips/timestamps, but it'd be great not to have to do so.<br>
>>><br>
>>>> Suricata still prefixes the tagged packet records with a unified1<br>
>>>> style event header which is uses gid 2 and sid 1.  I'll revisit this<br>
>>>> soon to make it identical to Snort's behaviour with unified2.<br>
>>><br>
>>> That'd be awesome.<br>
>>><br>
>>>> With tagged packet support for eve logging I dropped the references to<br>
>>>> the originating alert altogether.  Instead you can use the flow_id<br>
>>>> and/or 5 tuple to associated tagged packets with their event.  I find<br>
>>>> this a better approach as multiple alerts could trigger the same<br>
>>>> packets to be logged, in which case it is unclear which you would<br>
>>>> attribute the tagged packets with.<br>
>>><br>
>>> Probably is a better approach, but as I'm still on u2 if the tagged<br>
>>> packets could simply have the original gid/sid that'd be really<br>
>>> helpful.<br>
>>><br>
>>> Thanks,<br>
>>> Jim<br>
>>> ______________________________<wbr>_________________<br>
>>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
</div></div>>>> Site: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-QjrcIywfy91WJU&s=ucX71W_TCCWHFBuzOP3kyQrmVxmVPp7ztiaC5VlZwro&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.<wbr>com/v2/url?u=http-3A__<wbr>suricata-2Dids.org&d=CwIBaQ&c=<wbr>pZJPUDQ3SB9JplYbifm4nt2lEVG5pW<wbr>x2KikqINpWlZM&r=<wbr>4aPMDlSu2DhQqYRwad4wSw&m=<wbr>ijDSqBHlW1QGkq3bT_4G32YtiRYs-<wbr>QjrcIywfy91WJU&s=ucX71W_<wbr>TCCWHFBuzOP3kyQrmVxmVPp7ztiaC5<wbr>VlZwro&e=</a>  | Support: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org_&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-QjrcIywfy91WJU&s=03vIyGi6OqzZHyNc2k2a_x2DWl6KYmvnMk3E1gybygA&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.<wbr>com/v2/url?u=http-3A__<wbr>suricata-2Dids.org_&d=CwIBaQ&<wbr>c=<wbr>pZJPUDQ3SB9JplYbifm4nt2lEVG5pW<wbr>x2KikqINpWlZM&r=<wbr>4aPMDlSu2DhQqYRwad4wSw&m=<wbr>ijDSqBHlW1QGkq3bT_4G32YtiRYs-<wbr>QjrcIywfy91WJU&s=<wbr>03vIyGi6OqzZHyNc2k2a_<wbr>x2DWl6KYmvnMk3E1gybygA&e=</a><br>
>> support/<br>
>>> List: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-QjrcIywfy91WJU&s=Fb8CNRHkw0ATx7sfFARezVWq_2WCoMJvkXFay0A_4ws&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.<wbr>com/v2/url?u=https-3A__lists.<wbr>openinfosecfoundation.org_&d=<wbr>CwIBaQ&c=<wbr>pZJPUDQ3SB9JplYbifm4nt2lEVG5pW<wbr>x2KikqINpWlZM&r=<wbr>4aPMDlSu2DhQqYRwad4wSw&m=<wbr>ijDSqBHlW1QGkq3bT_4G32YtiRYs-<wbr>QjrcIywfy91WJU&s=<wbr>Fb8CNRHkw0ATx7sfFARezVWq_<wbr>2WCoMJvkXFay0A_4ws&e=</a><br>
<span class="gmail-">>> mailman/listinfo/oisf-users<br>
>>> Suricata User Conference November 9-11 in Washington, DC:<br>
</span>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__suricon.net&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-QjrcIywfy91WJU&s=_o5smITqFY0ITMHLi_Yohmgpx1Y6JmoIa2FjjQ-Kr7I&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.<wbr>com/v2/url?u=http-3A__suricon.<wbr>net&d=CwIBaQ&c=<wbr>pZJPUDQ3SB9JplYbifm4nt2lEVG5pW<wbr>x2KikqINpWlZM&r=<wbr>4aPMDlSu2DhQqYRwad4wSw&m=<wbr>ijDSqBHlW1QGkq3bT_4G32YtiRYs-<wbr>QjrcIywfy91WJU&s=_<wbr>o5smITqFY0ITMHLi_<wbr>Yohmgpx1Y6JmoIa2FjjQ-Kr7I&e=</a><br>
>>><br>
>><br>
><br>
</blockquote></div><br></div></div></div>