[Oisf-users] Tagged packet logging

Jason Ish lists at unx.ca
Thu Mar 16 15:07:36 UTC 2017


Hi Jim,

No, nothing yet. Its not as simple as it might seem and I haven't got back
to yet.

Jason

On Wed, Mar 8, 2017 at 12:51 PM, Jim Hranicky <jfh at ufl.edu> wrote:

> Howdy,
>
> Just checking in. Is there a change to the tagged packet logging for
> u2 still in the works?
>
> Thanks,
> Jim
>
> On 11/04/2016 10:07 AM, Jim Hranicky wrote:
> > On 11/03/2016 06:55 PM, Jason Ish wrote:
> >
> >>> Is it possible to have the tagged packets use the same sid as
> >>> the rule they originated from?
> >>
> >> Hi Jim,
> >>
> >> I'm guessing you are using unified2 output? This likely won't happen
> >> as Snort's unified2 doesn't have an associated event with a tagged
> >> packet, instead you back track to the generating event using the
> >> timestamp fields.
> >
> > Yes, I'm using u2/barnyard2 . I have the ability to match up events
> > based on ips/timestamps, but it'd be great not to have to do so.
> >
> >> Suricata still prefixes the tagged packet records with a unified1
> >> style event header which is uses gid 2 and sid 1.  I'll revisit this
> >> soon to make it identical to Snort's behaviour with unified2.
> >
> > That'd be awesome.
> >
> >> With tagged packet support for eve logging I dropped the references to
> >> the originating alert altogether.  Instead you can use the flow_id
> >> and/or 5 tuple to associated tagged packets with their event.  I find
> >> this a better approach as multiple alerts could trigger the same
> >> packets to be logged, in which case it is unclear which you would
> >> attribute the tagged packets with.
> >
> > Probably is a better approach, but as I'm still on u2 if the tagged
> > packets could simply have the original gid/sid that'd be really
> > helpful.
> >
> > Thanks,
> > Jim
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170316/40917574/attachment-0002.html>


More information about the Oisf-users mailing list