[Snort-users] Process Snort alerts on real time

James Lay jlay at ...13475...
Wed Feb 22 08:49:25 EST 2017


On Wed, 2017-02-22 at 12:22 +0000, Nora Aron wrote:
> > http://seclists.org/snort/2017/q1/11
> Thanks Marcin, 
> Yes, that is great for static logs. But unfortunately my problem is
> not the same than in that thread, unless there is something that I
> misunderstood.
> I also could obtain the content of the packet in hexadecimal from
> u2Spewfoo ( after parsing it ).
> But, u2Spewfoo is only for static logs as well. So I am trying to use
> the SpoolEventReader from ids-tools that provides you real time
> events, already converted to a readable format. The problem is that
> this tools provide the packet info in some kind of binary raw that I
> don't know how to process. 
> I add an extract as an example
> \x00!\xd7j\xe4\x00RT\x00\xfc\xa9\xf6
> 
> I could use both u2spewfoo or the combination of tools you proposed
> if I had the event in unified2 from SpoolEventReader, but this is not
> the case.
> 
> Thanks
Use Barnyard2 to process the u2 files, or take a look at the the alert
full method.
James


> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> 
Snort-users at lists.sourceforge.net
> 
> Go to this URL to change user options or unsubscribe:
> 
https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> Snort-users list archive:
> 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170222/56b48d0a/attachment.html>


More information about the Snort-users mailing list