[Snort-devel] Extending unified2 output with custom information from dynamic preprocessor

Jan Hermes jan.hermes at hotmail.de
Sat Sep 2 03:46:26 EDT 2017


Hello,

I developed a dynamic preprocessor that extracts custom important
information out of network packages that are not included in the
unified2 output.

Under the following assumptions:

- There is a fully working dynamic preprocessor SNIFF that works on a
new network protocol
- I wrote a rule that makes SNIFF trigger a Snort alert with a custom
message if a specified source name was matched.
- The message is in the form of ** (...) sourcename -> destname  
etc...** it gets created in the SNIFF preprocessor and added to the
alert message.
- Normal console Alerts or alert.log are showing this additional
information
- The unified2 output with it's specified information with different
variables is not showing any of this additional alert message
information

Is there a way to add new information to the unified2 output? If yes,
can you point me towards a specific direction?

Thanks and Greetings
Jan



More information about the Snort-devel mailing list