[Snort-users] Process Snort alerts on real time

Nora Aron valeparatodo at ...11827...
Wed Feb 22 07:22:17 EST 2017


>
> *http://seclists.org/snort/2017/q1/11
> <http://seclists.org/snort/2017/q1/11>*


Thanks Marcin,
Yes, that is great for static logs. But unfortunately my problem is not the
same than in that thread, unless there is something that I misunderstood.
I also could obtain the content of the packet in hexadecimal from u2Spewfoo
( after parsing it ).
But, u2Spewfoo is only for static logs as well. So I am trying to use the
SpoolEventReader from ids-tools that provides you real time events, already
converted to a readable format. The problem is that this tools provide the
packet info in some kind of binary raw that I don't know how to process.
I add an extract as an example
*\x00!\xd7j\xe4\x00RT\x00\xfc\xa9\xf6*

I could use both u2spewfoo or the combination of tools you proposed if I
had the event in unified2 from SpoolEventReader, but this is not the case.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170222/ebe80b93/attachment.html>


More information about the Snort-users mailing list