[Snort-users] format of unified log file?

Joe Patterson jpatterson at ...12705...
Fri Feb 11 11:13:43 EST 2005


The way that I figured it out was to look at the spo_unified.c, and parse
out the various struct's within that.  Yes, it's C, but it's not
particularly complicated to logically parse out the structure.  Look at
these structures: UnifiedLogFileHeader, UnifiedLog, Event, SnortPktHeader.
Basically, the log file starts with a UnifiedLogFileHeader, and then has a
bunch of UnifiedLog's, which consist of an Event struct, 32 bits of flags,
and a SnortPktHeader struct. (and then, I believe, caplen worth of actual
payload data), followed by a new UnifiedLog.

-Joe

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Rob Baxter
> Sent: Friday, February 11, 2005 8:04 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] format of unified log file?
>
>
> I apologize if this has been covered before, but I am looking to write a
> utility to parse the binary unified log files produced by snort.
> According to the snort Users Guide the binary log file format is
> described in the spo_unified.h header file, however when I look at that
> file I don't see anything resembling a file format desc (in fact the
> file has < 30 including comments). Am I looking in the wrong place
> (src/output-plugins directory of the 2.3.0 distribution). Would I find
> the description in an older revision of this file (appears that I'm
> looking at v1.9), or where else might I find the documentation on how
> that file is layed out? I might be able to figure it out by looking at
> the input processors for mudpit and/or barnyard, but my C is terribly
> rusty so I'd prefer to have some documentation. If anyone can point me
> in the right direction it'd be greatly appreciated. thanx,
>
> </rob>
>
> ---------------------------------------------------
> Robert M. Baxter
> Sr. Security Analyst
> Xapiens Corporation
> ---------------------------------------------------
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>





More information about the Snort-users mailing list