[Snort-users] Unified Log Format
roesch at ...1935...
Tue Jun 28 19:36:22 EDT 2005
That's pretty cool, nice idea!
If you want a comprehensive map of the SIDs (Snort ID's) of GID 1,
you should look at the sid-msg.map file in the etc directory of your
Snort distribution. SID 527 is a bad-traffic.rules detect for same
source/dest IP in a packet. Typically you'll get these listening on
Basically you can infer the structure of the packet data that's
stored in a unified log record based on the GID of the event.
Typically the log data will be a standard Snort packet, but on
aggregate event like a portscan you'll get our crammed packet type
that we're overloading the field with. GIDs 100, 117, 121 and 122
are all various portscan detectors that have been built for Snort
over the years, you might just want to skip those records...
On Jun 28, 2005, at 3:52 PM, Mario D. Santana wrote:
> Hi, all. I've written a patch to Ethereal to allow it to load
> unified output and display the alert information as a top-level
> protocol. This lets you do things like search agains
> snort.sig_generator, etc.
> I'm not sure if this email should go to snort-dev, but I thought
> I'd give it a shot here first. BTW, if anyone wants to try out the
> patch, let me know off-list.
> The patch is pretty functional, but I've run into a couple of
> snags. One of these seems to be related to the "fake" packets
> generated by snort to identify port scans. But sometimes strange
> things happen, such as finding signal IDs of 527 for generator ID 1
> -- is this valid?
> I've looked through the snort manual, the code, and other likely
> places. Any help or pointers would be appreciated.
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Network Defense for the Real World - http://
Snort: Open Source Intrusion Detection and Prevention - http://
More information about the Snort-users