[Oisf-users] Unique Alert ID when using EVE

Champ Clark III cclark at quadrantsec.com
Fri May 25 14:52:31 UTC 2018


> There is no eqivalent, but I think thats OK. I like to assign each
> event a UUID or ULID in my process that reads events. Something you
> would need to do with unified2 anyways.

> Even with unified2 the event ID is not unique, I believe it starts from
> 1 on each restart of Suricata. Within the scope of unified2 its used to
> associate a packet record (or other event records) back to an event
> record. Something that is not usually required in in Eve. So even with
> unified2, I'm still giving each event an ID unique to my system.

I agree with Jason here.  Unless you are doing something really unique with the Unified2 ID,
it's largely irrelevant.  

We have been going through a "unfiied2" to "eve" transition as well.    We create software
similar to Barnyard2 that reads EVE files rather than Unified2.   It keeps the same traditional 
database format,  plus some new tables,  to remain backward compatible with Barnyard2's database.

You post made me think that you might find this interesting/helpful.

The software is called "Meer" and can be found at https://github.com/beave/meer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2111 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180525/4e1ee279/attachment.bin>


More information about the Oisf-users mailing list