[Snort-devel] unified2_extra_data

Brad Tilley rtilley at ...3360...
Fri Jan 11 07:01:37 EST 2013


On Thu, Jan 10, 2013 at 05:22:10PM -0500, Russ Combs wrote:
> Check the Snort manual under "Extra Data Configurations".  There are
> several types.  config log_ipv6_extra_data is one way.  http_inspect and
> smtp preprocessors also can capture extra data for logging.

I got some extra data written out by using config log_ipv6_extra (I don't parse it just yet, just note it and keep on going):

------------------
u2 header type: 110
header length: 48
offset: 2160
Extra Data not yet implemented.
------------------
u2 header type: 2
header length: 122
offset: 2216
Sensor_id: 0
Event_id: 7
Event_second: 1357905255
Packet_second: 1357905255
Packet_microsecond: 948346
Linktype: 1
Packet_length: 94
Packet: FFFFFFAA0004000A0400FFFFFFD001FFFFFFA6FFFFFFC800FFFFFF86FFFFFFDD600000000028063C200104680CFFFFFF80212F020C29FFFFFFFFFFFFFFFEFFFFFFFDFFFFFFCA2C200104680CFFFFFF80FFFFFFC1111A0373FFFFFFFFFFFFFFFE4D0B0DFFFFFFB67005FFFFFFF13D3620FFFFFFDA00000000FFFFFFA002384014070000020405FFFFFFA00402080AFFFFFF9DFFFFFFE772FFFFFFCD0000000001030307
------------------

I did not realize that the manual had the unified2 specification. I just read the source code, but the manual section makes for a nice reference.

Thanks to all the replies (on and off list).

Brad





More information about the Snort-devel mailing list