[Oisf-users] Tagged packet logging

Jason Ish lists at unx.ca
Thu Nov 3 22:55:58 UTC 2016

On Thu, Nov 3, 2016 at 3:17 PM, Jim Hranicky <jfh at ufl.edu> wrote:
> I've read recently that tagged packet logging was fixed in 3.1.2 .
> I'm currently running this version and it does seem to be working,
> however, all the tagged packets are showing up as sid:1, tagged
> packet.
> Is it possible to have the tagged packets use the same sid as
> the rule they originated from?

Hi Jim,

I'm guessing you are using unified2 output? This likely won't happen
as Snort's unified2 doesn't have an associated event with a tagged
packet, instead you back track to the generating event using the
timestamp fields.

Suricata still prefixes the tagged packet records with a unified1
style event header which is uses gid 2 and sid 1.  I'll revisit this
soon to make it identical to Snort's behaviour with unified2.

With tagged packet support for eve logging I dropped the references to
the originating alert altogether.  Instead you can use the flow_id
and/or 5 tuple to associated tagged packets with their event.  I find
this a better approach as multiple alerts could trigger the same
packets to be logged, in which case it is unclear which you would
attribute the tagged packets with.

Hope this helps,

More information about the Oisf-users mailing list