[Snort-users] Unified2 extra data

Peter Bates peter.bates at ...15381...
Thu Jan 3 08:58:35 EST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello there and a Happy New Year to all...

I'm a bit late in reading Joel's blog post:
http://vrt-blog.snort.org/2012/12/exploit-kit-java-user-agent-downloading.html

In particular, I'm interested in the last paragraph:
"Now, even if you don't have a Sourcefire device you can still dump out the "extra data" fields from your unified2 logs and see exactly which url's prompted these downloads like I show above."

Reading http://manual.snort.org/node255.html
it implies

config log_uri
config log_hostname

are useful options to add to snort.conf.

Do these extend the u2 format, or just fill in existing fields?

Is this extra information then understood by the likes of Barnyard2
and added to a database, or only viewable with u2spewfoo?

Thanks.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJQ5Y6LAAoJELhVoVpEMS6RpR4H/j7/BOEJGK4RvrU+7FFLHr9D
SHERKXusu/XbrvwId3onOQ+XsEZZS7S5aGeAK8ZDytzNhI69Pz6HN2ppOUDnClOT
l+D3Qrq5/W/gY54K9GbbN6yjdw9/CwWiOLneMatuTC+ar8Bj2l7z6yzoqLJLZT2f
wn58criKRbRgCJLB1cPevjVIUqC2OBdOJtfsdIXbLnjPwOuGWwGNYjNRMjozSSfm
NJQ/XYdVlYliDyCTyDnYzvc1/Q80T42LBIntvC80SYbKE3JFstGtWKHIN8wwm0KH
mcYr9OY5LDU25gl/T/sdE16DFy8P7r5Py1TIwVC0m7dbOusXuaqABQemd+WVJoQ=
=hLiq
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list