[Snort-users] unified format
Roland Turner (SourceForge)
raz.fs.arg at ...9950...
Fri Aug 19 02:37:53 EDT 2005
Igor Belikov said:
> 1. In archive of this mailing list I read that unified alert file
> contains only alerts information, and unified log file contains both
> alerts and corresponding payloads. But documentation says different:
> unified log contains only payload, and I confirmed this by some
The unified log format does not contain broken out fields for
protocol-number or src/dest ip-address/port-number, while the unified
alert format does. This information is, however, still available in the
payload in the unified log format. The gen:sid:rev, classification,
priority, eventid and timestamps are presented identically in both formats
as part of the Event struct.
More information about the Snort-users