[Oisf-users] Tagged packet logging

Jim Hranicky jfh at ufl.edu
Thu Mar 16 15:32:32 UTC 2017 

I can see what I can find - should I be looking in
detect-engine-tag.c and/or alert-unified2-alert.c ?

Jim

On 03/16/2017 11:07 AM, Jason Ish wrote:
> Hi Jim,
> 
> No, nothing yet. Its not as simple as it might seem and I haven't got back
> to yet.
> 
> Jason
> 
> On Wed, Mar 8, 2017 at 12:51 PM, Jim Hranicky <jfh at ufl.edu> wrote:
> 
>> Howdy,
>>
>> Just checking in. Is there a change to the tagged packet logging for
>> u2 still in the works?
>>
>> Thanks,
>> Jim
>>
>> On 11/04/2016 10:07 AM, Jim Hranicky wrote:
>>> On 11/03/2016 06:55 PM, Jason Ish wrote:
>>>
>>>>> Is it possible to have the tagged packets use the same sid as
>>>>> the rule they originated from?
>>>>
>>>> Hi Jim,
>>>>
>>>> I'm guessing you are using unified2 output? This likely won't happen
>>>> as Snort's unified2 doesn't have an associated event with a tagged
>>>> packet, instead you back track to the generating event using the
>>>> timestamp fields.
>>>
>>> Yes, I'm using u2/barnyard2 . I have the ability to match up events
>>> based on ips/timestamps, but it'd be great not to have to do so.
>>>
>>>> Suricata still prefixes the tagged packet records with a unified1
>>>> style event header which is uses gid 2 and sid 1.  I'll revisit this
>>>> soon to make it identical to Snort's behaviour with unified2.
>>>
>>> That'd be awesome.
>>>
>>>> With tagged packet support for eve logging I dropped the references to
>>>> the originating alert altogether.  Instead you can use the flow_id
>>>> and/or 5 tuple to associated tagged packets with their event.  I find
>>>> this a better approach as multiple alerts could trigger the same
>>>> packets to be logged, in which case it is unclear which you would
>>>> attribute the tagged packets with.
>>>
>>> Probably is a better approach, but as I'm still on u2 if the tagged
>>> packets could simply have the original gid/sid that'd be really
>>> helpful.
>>>
>>> Thanks,
>>> Jim
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-QjrcIywfy91WJU&s=ucX71W_TCCWHFBuzOP3kyQrmVxmVPp7ztiaC5VlZwro&e=  | Support: https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org_&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-QjrcIywfy91WJU&s=03vIyGi6OqzZHyNc2k2a_x2DWl6KYmvnMk3E1gybygA&e= 
>> support/
>>> List: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-QjrcIywfy91WJU&s=Fb8CNRHkw0ATx7sfFARezVWq_2WCoMJvkXFay0A_4ws&e= 
>> mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC:
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__suricon.net&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-QjrcIywfy91WJU&s=_o5smITqFY0ITMHLi_Yohmgpx1Y6JmoIa2FjjQ-Kr7I&e= 
>>>
>>
>

More information about the Oisf-users mailing list