[Snort-devel] Unified2 output format?

Jason Brvenik jasonb at ...402...
Thu Mar 12 11:50:31 EDT 2009


I cannot comment as I've not gone looking for them in the code, it is
only referenced once so unlikely to be used at the moment. The devs
would have to comment on any plans to start using it. I can say you
are the first I am aware of inquiring of about it so it is probably
safe to ignore for now.

On Tue, Mar 10, 2009 at 5:28 PM, c0uchw4rrior <c0uchw4rrior at ...2499...> wrote:
> Jason,
>
> Thanks for the link to SnortUnified.pm.
>
> I think what I'm interested in is the Unified2 "extended" event type,
> for use in logging extended event data from a custom preprocessor.
>
> From looking at the Snort 2.8.3.2 source in
> output-plugins/spo_unified2.c, UNIFIED2_EVENT_EXTENDED is defined on
> line 222, but never used anywhere in the source code. The comment
> before these UNIFIED2 #defines reads:
>
> /* XXX Remove these when the real Unified 2 header becomes available */
>
> I see in the SnortUnified.pm script that the $unified2_type_masks hash
> doesn't define a unpacking mask for the $UNIFIED2_EVENT_EXTENDED,
> $UNIFIED2_PERFORMANCE or $UNIFIED2_EVENT_PORTSCAN types. The comment
> before these lines reads:
>
> "# XXX - Need to track down these structs"
>
> Is the extended event type currently implemented?
>
> $unified2_type_masks
>
> Thanks,
> c0uch
>
> On Mon, Mar 2, 2009 at 7:24 PM, Jason Brvenik <jasonb at ...402...> wrote:
>> I implemented unified2 support for SnortUnified.pm, not sure if it
>> will be of assistance to you but it can be found here:
>>
>> http://code.google.com/p/snort-unified-perl/source/browse/trunk/SnortUnified.pm
>




More information about the Snort-devel mailing list