[Oisf-users] Tagged packet logging

Jim Hranicky jfh at ufl.edu
Wed Mar 8 18:51:58 UTC 2017


Howdy,

Just checking in. Is there a change to the tagged packet logging for
u2 still in the works?

Thanks,
Jim

On 11/04/2016 10:07 AM, Jim Hranicky wrote:
> On 11/03/2016 06:55 PM, Jason Ish wrote:
> 
>>> Is it possible to have the tagged packets use the same sid as
>>> the rule they originated from?
>>
>> Hi Jim,
>>
>> I'm guessing you are using unified2 output? This likely won't happen
>> as Snort's unified2 doesn't have an associated event with a tagged
>> packet, instead you back track to the generating event using the
>> timestamp fields.
> 
> Yes, I'm using u2/barnyard2 . I have the ability to match up events
> based on ips/timestamps, but it'd be great not to have to do so.
> 
>> Suricata still prefixes the tagged packet records with a unified1
>> style event header which is uses gid 2 and sid 1.  I'll revisit this
>> soon to make it identical to Snort's behaviour with unified2.
> 
> That'd be awesome.
> 
>> With tagged packet support for eve logging I dropped the references to
>> the originating alert altogether.  Instead you can use the flow_id
>> and/or 5 tuple to associated tagged packets with their event.  I find
>> this a better approach as multiple alerts could trigger the same
>> packets to be logged, in which case it is unclear which you would
>> attribute the tagged packets with.
> 
> Probably is a better approach, but as I'm still on u2 if the tagged
> packets could simply have the original gid/sid that'd be really
> helpful.
> 
> Thanks,
> Jim
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> 


More information about the Oisf-users mailing list