[Snort-devel] unifed2 log

conf file conf.files at gmail.com
Wed Apr 11 18:02:16 EDT 2018


I wrote a small Perl script a while ago that parses Unified2 files using
Jason Brvenik's SnortUnified Perl module. The output of the log messages is
currently CEF formated for ArcSight, but you could easily change that
within the handleLog function.

I hope you find it useful:
https://github.com/magikman/SuricataTools/blob/master/unified2Parser.pl



On Thu, Mar 8, 2018 at 7:51 AM, Ron H via Snort-devel <
snort-devel at lists.snort.org> wrote:

> Hello Snort-devel,
>
> We use Unifed2 packets logging to log our snort rules. Unifed2 log rotates
> every X MB size by definition.
> Our system, convert this unifed2 log to Pcap file by SigID and send him to
> offline IDS.
>
> The problem with Unifed2 logs can cut in the middle the sessions before
> ended because the logrotate size.
> we interesting to reduce this issue.
>
> We would like to know, How we can resolve this issue?
> One of our solution we thinking is writing log unifed2/Pcap by SigID, It
> can be possible?
>
> Thanks!
>
>
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.
> www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#m_-6969567457763063942_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180411/14691412/attachment.html>


More information about the Snort-devel mailing list