<div dir="ltr">Hi Jim,<div><br></div><div>No, nothing yet. Its not as simple as it might seem and I haven't got back to yet.</div><div><br></div><div>Jason<br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 8, 2017 at 12:51 PM, Jim Hranicky <span dir="ltr"><<a href="mailto:jfh@ufl.edu" target="_blank">jfh@ufl.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Howdy,<br>
<br>
Just checking in. Is there a change to the tagged packet logging for<br>
u2 still in the works?<br>
<br>
Thanks,<br>
Jim<br>
<div class="HOEnZb"><div class="h5"><br>
On 11/04/2016 10:07 AM, Jim Hranicky wrote:<br>
> On 11/03/2016 06:55 PM, Jason Ish wrote:<br>
><br>
>>> Is it possible to have the tagged packets use the same sid as<br>
>>> the rule they originated from?<br>
>><br>
>> Hi Jim,<br>
>><br>
>> I'm guessing you are using unified2 output? This likely won't happen<br>
>> as Snort's unified2 doesn't have an associated event with a tagged<br>
>> packet, instead you back track to the generating event using the<br>
>> timestamp fields.<br>
><br>
> Yes, I'm using u2/barnyard2 . I have the ability to match up events<br>
> based on ips/timestamps, but it'd be great not to have to do so.<br>
><br>
>> Suricata still prefixes the tagged packet records with a unified1<br>
>> style event header which is uses gid 2 and sid 1. I'll revisit this<br>
>> soon to make it identical to Snort's behaviour with unified2.<br>
><br>
> That'd be awesome.<br>
><br>
>> With tagged packet support for eve logging I dropped the references to<br>
>> the originating alert altogether. Instead you can use the flow_id<br>
>> and/or 5 tuple to associated tagged packets with their event. I find<br>
>> this a better approach as multiple alerts could trigger the same<br>
>> packets to be logged, in which case it is unclear which you would<br>
>> attribute the tagged packets with.<br>
><br>
> Probably is a better approach, but as I'm still on u2 if the tagged<br>
> packets could simply have the original gid/sid that'd be really<br>
> helpful.<br>
><br>
> Thanks,<br>
> Jim<br>
</div></div><div class="HOEnZb"><div class="h5">> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 9-11 in Washington, DC: <a href="http://suricon.net" rel="noreferrer" target="_blank">http://suricon.net</a><br>
><br>
</div></div></blockquote></div><br></div></div></div>