[Oisf-users] Tagged packet logging
Jim Hranicky
jfh at ufl.edu
Fri Nov 4 14:07:56 UTC 2016
On 11/03/2016 06:55 PM, Jason Ish wrote:
>> Is it possible to have the tagged packets use the same sid as
>> the rule they originated from?
>
> Hi Jim,
>
> I'm guessing you are using unified2 output? This likely won't happen
> as Snort's unified2 doesn't have an associated event with a tagged
> packet, instead you back track to the generating event using the
> timestamp fields.
Yes, I'm using u2/barnyard2 . I have the ability to match up events
based on ips/timestamps, but it'd be great not to have to do so.
> Suricata still prefixes the tagged packet records with a unified1
> style event header which is uses gid 2 and sid 1. I'll revisit this
> soon to make it identical to Snort's behaviour with unified2.
That'd be awesome.
> With tagged packet support for eve logging I dropped the references to
> the originating alert altogether. Instead you can use the flow_id
> and/or 5 tuple to associated tagged packets with their event. I find
> this a better approach as multiple alerts could trigger the same
> packets to be logged, in which case it is unclear which you would
> attribute the tagged packets with.
Probably is a better approach, but as I'm still on u2 if the tagged
packets could simply have the original gid/sid that'd be really
helpful.
Thanks,
Jim
More information about the Oisf-users
mailing list