[Snort-devel] Unified2 output format?

c0uchw4rrior c0uchw4rrior at ...2499...
Tue Mar 10 17:28:48 EDT 2009


Jason,

Thanks for the link to SnortUnified.pm.

I think what I'm interested in is the Unified2 "extended" event type,
for use in logging extended event data from a custom preprocessor.

>From looking at the Snort 2.8.3.2 source in
output-plugins/spo_unified2.c, UNIFIED2_EVENT_EXTENDED is defined on
line 222, but never used anywhere in the source code. The comment
before these UNIFIED2 #defines reads:

/* XXX Remove these when the real Unified 2 header becomes available */

I see in the SnortUnified.pm script that the $unified2_type_masks hash
doesn't define a unpacking mask for the $UNIFIED2_EVENT_EXTENDED,
$UNIFIED2_PERFORMANCE or $UNIFIED2_EVENT_PORTSCAN types. The comment
before these lines reads:

"# XXX - Need to track down these structs"

Is the extended event type currently implemented?

$unified2_type_masks

Thanks,
c0uch

On Mon, Mar 2, 2009 at 7:24 PM, Jason Brvenik <jasonb at ...402...> wrote:
> I implemented unified2 support for SnortUnified.pm, not sure if it
> will be of assistance to you but it can be found here:
>
> http://code.google.com/p/snort-unified-perl/source/browse/trunk/SnortUnified.pm




More information about the Snort-devel mailing list