[Snort-devel] Unified2 output format?

Jason Brvenik jasonb at ...402...
Mon Mar 2 18:24:59 EST 2009

I implemented unified2 support for SnortUnified.pm, not sure if it
will be of assistance to you but it can be found here:


On Mon, Mar 2, 2009 at 6:09 PM, c0uchw4rrior <c0uchw4rrior at ...2499...> wrote:
> Hello,
> I've been looking into the Unified2 output format, specifically at
> implementing it for some software components that currently produce
> and consume Unified logs.
> >From reading the write-up on Unified2 at subukan.com and from some of
> the comments in the Snort sources, I have some concerns about just how
> mature / stable and readily extensible Unified2 is. This contradicts
> what I've been told about commercial Sourcefire products: they now use
> Unified2 as the default format.
> Is Unified2 as implemented in the Snort GPL'd source code
> production-ready? Is anyone successfully using it to extensibly log
> extended information from their own preprocessors? Any example code
> would be a big plus. Please forgive me if I'm missing any good
> examples that are present in the Snort sources.
> http://subukan.com/index.php?fmk=articles.snort_unified
> Below is an example comment from the Snort sources:
> /* XXX Remove these when the real Unified 2 header becomes available */
> Regards,
> c0uch
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list