[Snort-users] unified format

Roland Turner (SourceForge) raz.fs.arg at ...9950...
Fri Aug 19 02:37:53 EDT 2005


Igor Belikov said:


>  1. In archive of this mailing list I read that unified alert file
>  contains only alerts information, and unified log file contains both
>  alerts and corresponding payloads. But documentation says different:
>  unified log contains only payload, and I confirmed this by some
>  tests.


The unified log format does not contain broken out fields for
protocol-number or src/dest ip-address/port-number, while the unified
alert format does. This information is, however, still available in the
payload in the unified log format. The gen:sid:rev, classification,
priority, eventid and timestamps are presented identically in both formats
as part of the Event struct.

- Raz






More information about the Snort-users mailing list