[Oisf-users] Tagged packet logging
Jason Ish
lists at unx.ca
Thu Mar 16 16:52:04 UTC 2017
You can see my PR that did make it Snort compliant here:
https://github.com/inliniac/suricata/pull/2184
but it may have some issues that are not immediately apparent, which is why
we went for a simpler fix at this time.
Jason
On Thu, Mar 16, 2017 at 9:32 AM, Jim Hranicky <jfh at ufl.edu> wrote:
> I can see what I can find - should I be looking in
> detect-engine-tag.c and/or alert-unified2-alert.c ?
>
> Jim
>
> On 03/16/2017 11:07 AM, Jason Ish wrote:
> > Hi Jim,
> >
> > No, nothing yet. Its not as simple as it might seem and I haven't got
> back
> > to yet.
> >
> > Jason
> >
> > On Wed, Mar 8, 2017 at 12:51 PM, Jim Hranicky <jfh at ufl.edu> wrote:
> >
> >> Howdy,
> >>
> >> Just checking in. Is there a change to the tagged packet logging for
> >> u2 still in the works?
> >>
> >> Thanks,
> >> Jim
> >>
> >> On 11/04/2016 10:07 AM, Jim Hranicky wrote:
> >>> On 11/03/2016 06:55 PM, Jason Ish wrote:
> >>>
> >>>>> Is it possible to have the tagged packets use the same sid as
> >>>>> the rule they originated from?
> >>>>
> >>>> Hi Jim,
> >>>>
> >>>> I'm guessing you are using unified2 output? This likely won't happen
> >>>> as Snort's unified2 doesn't have an associated event with a tagged
> >>>> packet, instead you back track to the generating event using the
> >>>> timestamp fields.
> >>>
> >>> Yes, I'm using u2/barnyard2 . I have the ability to match up events
> >>> based on ips/timestamps, but it'd be great not to have to do so.
> >>>
> >>>> Suricata still prefixes the tagged packet records with a unified1
> >>>> style event header which is uses gid 2 and sid 1. I'll revisit this
> >>>> soon to make it identical to Snort's behaviour with unified2.
> >>>
> >>> That'd be awesome.
> >>>
> >>>> With tagged packet support for eve logging I dropped the references to
> >>>> the originating alert altogether. Instead you can use the flow_id
> >>>> and/or 5 tuple to associated tagged packets with their event. I find
> >>>> this a better approach as multiple alerts could trigger the same
> >>>> packets to be logged, in which case it is unclear which you would
> >>>> attribute the tagged packets with.
> >>>
> >>> Probably is a better approach, but as I'm still on u2 if the tagged
> >>> packets could simply have the original gid/sid that'd be really
> >>> helpful.
> >>>
> >>> Thanks,
> >>> Jim
> >>> _______________________________________________
> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>> Site: https://urldefense.proofpoint.com/v2/url?u=http-3A__
> suricata-2Dids.org&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pW
> x2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-
> QjrcIywfy91WJU&s=ucX71W_TCCWHFBuzOP3kyQrmVxmVPp7ztiaC5VlZwro&e= |
> Support: https://urldefense.proofpoint.com/v2/url?u=http-3A__
> suricata-2Dids.org_&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pW
> x2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-
> QjrcIywfy91WJU&s=03vIyGi6OqzZHyNc2k2a_x2DWl6KYmvnMk3E1gybygA&e=
> >> support/
> >>> List: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
> openinfosecfoundation.org_&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pW
> x2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-
> QjrcIywfy91WJU&s=Fb8CNRHkw0ATx7sfFARezVWq_2WCoMJvkXFay0A_4ws&e=
> >> mailman/listinfo/oisf-users
> >>> Suricata User Conference November 9-11 in Washington, DC:
> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__suricon.
> net&d=CwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=
> 4aPMDlSu2DhQqYRwad4wSw&m=ijDSqBHlW1QGkq3bT_4G32YtiRYs-QjrcIywfy91WJU&s=_
> o5smITqFY0ITMHLi_Yohmgpx1Y6JmoIa2FjjQ-Kr7I&e=
> >>>
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170316/228d34ce/attachment-0002.html>
More information about the Oisf-users
mailing list