[Snort-sigs] Explain unified2 Output

Peter Bates peter.bates at ...3791...
Fri May 31 04:07:44 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 31/05/2013 05:26, sumitkamboj88 at ...2420... wrote:
> Below is output of snort log using unified2.

> (IPv6 Event)
>     sensor id: 0    event id: 7    event second: 1369738500    event

> I do not have any clue about event second and event microsecond. Can any
> one explain what these two representing. Is it combination of year, month,
> day, hour,second or anything else. Please help to understand both.

It's in Unix epoch time - the event second above is - 11:55:00-2013/05/28

The following ropy Perl will decode it:

#!/usr/bin/perl
$time = @ARGV[0];
die "Usage: $0 <time>\n" unless @ARGV==1;

($seconds, $minutes, $hours, $day_of_month, $month, $year,
    $wday, $yday, $isdst) = localtime($time);
printf("Dateline: %02d:%02d:%02d-%04d/%02d/%02d\n",
    $hours, $minutes, $seconds, $year+1900, $month+1,
    $day_of_month);

Although whatever you read the u2 logs into will interpret the value for you.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRqFpQAAoJELhVoVpEMS6RqT4H/ij40L1cGNNmHg7oBN7FTwhI
4OCAYiGopF6jwHVNBEgRXHyUUPVxLoNru/aOn3laEl5g9y1veEqIYzg/6ZamROL+
Y+pPfU88Xr1I1eoM1hODfOSAJ0uke2FyIFL3JU1fTbCwIuGDKZfhKSxVszYZXSkc
YW9bhLXDe4/v4BrTZqO4NNg/pUNcg0bC2C1CjZYBqCUC5DmQDOeXb9uX5u3BWlsq
OsHQQiLdRyarpENwz2ScB9KCl7VI7ZiXKjpIuJE27nO6TBWVv7mdS2PvhXPxTmb/
9tsDIDN7s39cEE49/BF6qvQKw/A02+yQnTMXcRHUNwTPkf/4WOcy+DpLFAZrp2E=
=LJUH
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list