[Snort-devel] Unified2 output format?
c0uchw4rrior at ...2499...
Tue Mar 10 17:28:48 EDT 2009
Thanks for the link to SnortUnified.pm.
I think what I'm interested in is the Unified2 "extended" event type,
for use in logging extended event data from a custom preprocessor.
>From looking at the Snort 188.8.131.52 source in
output-plugins/spo_unified2.c, UNIFIED2_EVENT_EXTENDED is defined on
line 222, but never used anywhere in the source code. The comment
before these UNIFIED2 #defines reads:
/* XXX Remove these when the real Unified 2 header becomes available */
I see in the SnortUnified.pm script that the $unified2_type_masks hash
doesn't define a unpacking mask for the $UNIFIED2_EVENT_EXTENDED,
$UNIFIED2_PERFORMANCE or $UNIFIED2_EVENT_PORTSCAN types. The comment
before these lines reads:
"# XXX - Need to track down these structs"
Is the extended event type currently implemented?
On Mon, Mar 2, 2009 at 7:24 PM, Jason Brvenik <jasonb at ...402...> wrote:
> I implemented unified2 support for SnortUnified.pm, not sure if it
> will be of assistance to you but it can be found here:
More information about the Snort-devel