[Snort-devel] Unified2 output format?

c0uchw4rrior c0uchw4rrior at ...2499...
Mon Mar 2 18:09:02 EST 2009


I've been looking into the Unified2 output format, specifically at
implementing it for some software components that currently produce
and consume Unified logs.

>From reading the write-up on Unified2 at subukan.com and from some of
the comments in the Snort sources, I have some concerns about just how
mature / stable and readily extensible Unified2 is. This contradicts
what I've been told about commercial Sourcefire products: they now use
Unified2 as the default format.

Is Unified2 as implemented in the Snort GPL'd source code
production-ready? Is anyone successfully using it to extensibly log
extended information from their own preprocessors? Any example code
would be a big plus. Please forgive me if I'm missing any good
examples that are present in the Snort sources.


Below is an example comment from the Snort sources:

/* XXX Remove these when the real Unified 2 header becomes available */


More information about the Snort-devel mailing list