[Oisf-users] Tagged packet logging

Jim Hranicky jfh at ufl.edu
Fri Nov 4 14:07:56 UTC 2016

On 11/03/2016 06:55 PM, Jason Ish wrote:

>> Is it possible to have the tagged packets use the same sid as
>> the rule they originated from?
> Hi Jim,
> I'm guessing you are using unified2 output? This likely won't happen
> as Snort's unified2 doesn't have an associated event with a tagged
> packet, instead you back track to the generating event using the
> timestamp fields.

Yes, I'm using u2/barnyard2 . I have the ability to match up events
based on ips/timestamps, but it'd be great not to have to do so.

> Suricata still prefixes the tagged packet records with a unified1
> style event header which is uses gid 2 and sid 1.  I'll revisit this
> soon to make it identical to Snort's behaviour with unified2.

That'd be awesome.

> With tagged packet support for eve logging I dropped the references to
> the originating alert altogether.  Instead you can use the flow_id
> and/or 5 tuple to associated tagged packets with their event.  I find
> this a better approach as multiple alerts could trigger the same
> packets to be logged, in which case it is unclear which you would
> attribute the tagged packets with.

Probably is a better approach, but as I'm still on u2 if the tagged
packets could simply have the original gid/sid that'd be really


More information about the Oisf-users mailing list