[Snort-devel] unified2_extra_data

Russ Combs rcombs at ...402...
Thu Jan 10 17:22:10 EST 2013


Check the Snort manual under "Extra Data Configurations".  There are
several types.  config log_ipv6_extra_data is one way.  http_inspect and
smtp preprocessors also can capture extra data for logging.

On Thu, Jan 10, 2013 at 3:55 PM, Brad Tilley <rtilley at ...3360...> wrote:

> I'm parsing unified2 data files from snort 2.9.4 with a C++ program I
> wrote (just to refresh my memory of the format) and I was wondering how to
> make snort write a UNIFIED2_EXTRA_DATA entry. I've tried scanning with
> Nessus, nmap and Rapid7 (ipv4 and ipv6) but I'm still unable to get a
> unified2 header with a type of 110 written to the file.
>
> Thanks for any advice. All the other types I'm interested in (2, 104, 105)
> parse OK.
>
> Brad
>
> --
>
> Brad Tilley
> Virginia Tech IT Security
> (540) 231-3133
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122712
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130110/b7071499/attachment.html>


More information about the Snort-devel mailing list