[Snort-devel] unified2_extra_data

Brad Tilley rtilley at ...3360...
Fri Jan 11 07:01:37 EST 2013

On Thu, Jan 10, 2013 at 05:22:10PM -0500, Russ Combs wrote:
> Check the Snort manual under "Extra Data Configurations".  There are
> several types.  config log_ipv6_extra_data is one way.  http_inspect and
> smtp preprocessors also can capture extra data for logging.

I got some extra data written out by using config log_ipv6_extra (I don't parse it just yet, just note it and keep on going):

u2 header type: 110
header length: 48
offset: 2160
Extra Data not yet implemented.
u2 header type: 2
header length: 122
offset: 2216
Sensor_id: 0
Event_id: 7
Event_second: 1357905255
Packet_second: 1357905255
Packet_microsecond: 948346
Linktype: 1
Packet_length: 94

I did not realize that the manual had the unified2 specification. I just read the source code, but the manual section makes for a nice reference.

Thanks to all the replies (on and off list).


More information about the Snort-devel mailing list