[Snort-devel] Missing value in manual definition of u2 packet record

Rahul Burman (rahburma) rahburma at ...3461...
Wed Aug 19 08:27:23 EDT 2015


      Hi fearnothing

     Thanks for reporting this issue. It will be fixed in the next release.

     Thanks

[http://www.cisco.com/web/europe/images/email/signature/logo05.jpg]

Rahul Burman
ENGINEER.SOFTWARE ENGINEERING
rahburma at ...3461...
Phone: +91 80 4365 7902

Cisco Systems Limited
SEZ, Embassy Tech Village,Panathur Varthur Hobli, Bangalore East Taluk
BANGALORE
KARNATAKA
560 037
IN
Cisco.com<http://www.cisco.com>





[Think before you print.]Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html



From: fear nothing [mailto:fear.nothing at ...2499...]
Sent: Monday, August 17, 2015 11:41 PM
To: Snort-devel at lists.sourceforge.net
Subject: [Snort-devel] Missing value in manual definition of u2 packet record

I believe I have found an error in the manual.snort.org documentation for the unified2 output. Specifically, the structure for Unified2 Packet records<http://manual.snort.org/node44.html#SECTION00632000000000000000> is currently:

    sensor id               4 bytes

    event id                4 bytes

    event seconds           4 bytes

    event microseconds      4 bytes

    linktype                4 bytes

    packet length           4 bytes

    packet data             <variable length>

The actual output of my device (currently running 2.9.7.3) is more accurately represented by:

    sensor id               4 bytes

    event id                4 bytes

    event second            4 bytes

    packet second           4 bytes

    packet microsecond      4 bytes

    linktype                4 bytes

    packet length           4 bytes

    packet data             <variable length>

The c header<https://github.com/jasonish/snort/blob/master/src/sfutil/Unified2_common.h#L135> seems to support this belief. It's a small thing but could save headaches for the next person crazy enough to start parsing the unified2 output themselves :)

Regards,
fearnothing
github.com/scherma
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150819/ddd648e2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 2110 bytes
Desc: image005.jpg
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150819/ddd648e2/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 901 bytes
Desc: image006.png
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150819/ddd648e2/attachment.png>


More information about the Snort-devel mailing list